A new Linux spyware was discovered by security researchers which is not detected by any of the major antivirus security software and also includes rarely seen functionalities as compared to most Linux malware.
When compared to Windows viruses there are only few strains of Linux malware that exists in the wild, mainly because of its core architecture, low market share, and most of them does not have a wide range of functionalities also.
Most of the malware targeting Linux ecosystem is mainly focused on cryptocurrency mining attacks for financial gain and creating DDoS botnets by hijacking vulnerable servers.
The security researchers at security firm Intezer Labs discovered a new Linux backdoor implant which seems to be under development and testing phase. But it includes several malicious modules to spy on Linux desktop users.
The new Linux Spyware dubbed as EvilGnome has been designed to take desktop screenshots, steal files, capture audio recording from the user’s microphone and also download and execute further second-stage malicious modules.
A sample of EvilGnome discovered on VirusTotal also contains an unfinished keylogger functionality which shows that it was uploaded online accidentally by its developers.
EvilGnome malware masquerades itself as a legit GNOME extension which is a program that permits Linux users extend the functionality of their desktops.
The researchers state that the implant is delivered in the form of a self-extracting archive shell script created with ‘makeself,’ which is a small shell script that generates a self-extractable compressed tar archive from a directory.
The Linux implant also gains persistence on a targeted system using crontab, similar to windows task scheduler, and sends stolen user data to a remote attacker-controlled server.
EvilGnome’s Spyware Modules
The Spy Agent of EvilGnome contains five malicious modules named as Shooters. They are
- ShooterSound : This module uses PulseAudio to capture audio from the user’s microphone and uploads the data to the operator’s command-and-control server.
- ShooterImage : This module uses the Cairo open source library to captures screenshots and uploads them to the C&C server.
- ShooterFile : This module uses a filter list to scan the file system for newly created files and uploads them to the C&C server.
- ShooterPing : This module receives new commands from the C&C server, like download and execute new files, set new filters for file scanning, download and set new runtime configuration, exfiltrate stored output to the C&C server, and stop any shooter module from running.
- ShooterKey : This module is unimplemented and unused, which is supposed to be unfinished keylogging module.
The researchers found some connections between EvilGnome and Gamaredon Group which is an alleged Russian threat group that has been active since at least 2013 and has targeted individuals working with the Ukrainian government.
In order to check for the presence of EvilGnome malware in your Linux system, look for the “gnome-shell-ext” executable in the “~/.cache/gnome-software/gnome-shell-extensions” directory.
Since security and antivirus products cannot detect the EvilGnome malware, researchers recommend the Linux administrators to block the Command & Control IP addresses listed in the IOC section of Intezer’s blog post.