The Gnome extension on Linux is carrying a malware in disguise. The ones who made the find were the people working at Intezer. They have even linked the malicious code as spyware created by Russian coders named Gamaredon. Most of the modules used by the malicious code in Evil-Gnomeis tied to Windows utilities such as the use of SFX, task scheduler and data trackers. Since the code seems to target mostly desktops, the extension of the attack has not been wide because Linux is not widely used on PCs. The developers of Intezer have stated that the spyware is an entirely new form of code that has never been used before.
The attack group is not one to rear its head frequently. We have reports of their existence dating back to 2013. Most of the information available about them was released by the team of LookingGlass, who made a full report about their espionage activities. Most of the intel about them was gathered when Operation Armaggedon was targeting Ukranian Public Offices. At the time, their actions were blamed on the bureau of Federal Security of Russia. It seems that this recent incursion of their malicious code was the product of a blunder on their part. The sample that was found had been uploaded to VirusTotal by mistake.
A Blunder that Led to a Big Find
With metadata related to the upload present in the code, it was clear that the lack of removal of this information was enough to reveal the presence of the malicious code. The unfinished worm includes a keylogger, comments, and symbols that could very well be some form of encryption. The state of the code may be an indication that the malware was still in development. The EvilGnome backdoor enables attackers to take screenshots of their victims, data management, recording audio files, and the download of payloads. It seems the delivery system was going to be the oldest trick in the book: a spear-phishing email in a Russian hosting provider.
Among the slew of data found, the report revealed that the hosting provider used as a proxy to perform attacks using EvilGnome has been active for quite a few years. The Linux version of the malware is delivered using a self-extracting file containing a shell script that is created using /makeself. The files generated have a .run suffix so it can launch on its own. The malware gets installed in the same location (~/.cache/gnome-software/gnome-shell-extensions/). The attackers gain access by running a gnome-shell.ext.sh at the rate of numerous tries per minute using crontab until they crack the access. When it launches, the new agent runs along any new process to read the rtp.dat configuration file and load it on the memory of the device.
Closing Thoughts
The discovery of EvilGnome has been a great find, even if accidental on behalf of the guys at Intezer. It had the potential to do a lot of damage, and while its reach wouldn’t have been too far due to the low rate of users of Linux on desktop, it could have been damaging if the software suddenly gained traction among these users.