Kaspersky recently exposed a concerning cyber campaign involving the distribution of a Linux backdoor over a span of three years, using a compromised installer for the popular Free Download Manager software. This revelation strongly suggests a supply chain attack, where unsuspecting victims inadvertently downloaded the infected software from the official website. The malware variants utilized in this campaign were initially detected back in 2013. The victims hail from various countries, including Brazil, China, Saudi Arabia, and Russia.
In this new malicious campaign identified by Kaspersky experts, threat actors have targeted Linux systems. They deployed a backdoor, essentially a type of Trojan, onto victims’ devices by distributing compromised versions of a widely-used free software: Free Download Manager. Once a device is infected, the attackers’ primary objective is to pilfer sensitive information, ranging from system details, browsing history, saved passwords, cryptocurrency wallet files, to credentials for cloud services like Amazon Web Services or Google Cloud. Kaspersky’s telemetry reveals a global reach of this campaign, with victims scattered across countries such as Brazil, China, Saudi Arabia, and Russia.
Kaspersky experts strongly suspect a supply chain attack based on their investigations. They delved into Free Download Manager installation guides on YouTube for Linux computers and found instances where video creators inadvertently demonstrated the initial infection process. Clicking the download button on the official website led to the download of a malicious version of Free Download Manager. Conversely, in another video, a legitimate version of the software was obtained. It is plausible that the malware developers scripted the malicious redirection to occur with a certain probability or based on the digital fingerprint of the potential victim. Consequently, some users encountered a tainted package while others acquired an untainted one.
Kaspersky’s research indicates that this campaign persisted for a minimum of three years, spanning from 2020 to 2022. The malicious package was disguised as the 2020 release of Free Download Manager. Furthermore, within this timeframe, discussions surfaced on platforms like StackOverflow and Reddit regarding issues stemming from the infected software distribution. However, users remained oblivious to the fact that these problems were triggered by malicious activities.
“Variants of the analyzed backdoor have been detectable by Kaspersky solutions for Linux since 2013. However, there is a widespread misconception that Linux is immune to malware, leaving many of these systems without adequate cybersecurity protection. This lack of protection makes these systems attractive targets for cybercriminals. Essentially, the Free Download Manager case highlights the challenge of spotting an ongoing cyberattack on a Linux system with the naked eye. Therefore, it’s essential for Linux-based computers, including both desktops and servers, to implement reliable and effective security measures”, says Georgy Kucherin, a security expert at GReAT, Kaspersky.
To avoid Linux-based and other types of threats, Kaspersky recommends the following security measures:
- Choose a proven endpoint security solution such as Kaspersky Endpoint Security for Business that is equipped with behavior-based detection and anomaly control capabilities for effective protection against known and unknown threats.
- Use Kaspersky Embedded Systems Security product. This adaptable, multi-layered solution provides optimized security for embedded Linux-based systems, devices and scenarios, in compliance with the rigorous regulatory standards so often applicable to these systems
- Since the stolen credentials may be put up for sale on the dark web, use Kaspersky Digital Footprint Intelligence to monitor shadow resources and promptly identify related threats