An nameless reader quotes a report from Ars Technica: A obtain web site surreptitiously served Linux customers malware that stole passwords and different delicate info for greater than three years till it lastly went quiet, researchers stated on Tuesday. The positioning, freedownloadmanager[.]org, supplied a benign model of a Linux providing generally known as the Free Obtain Supervisor. Beginning in 2020, the identical area at instances redirected customers to the area deb.fdmpkg[.]org, which served a malicious model of the app. The model out there on the malicious area contained a script that downloaded two executable recordsdata to the /var/tmp/crond and /var/tmp/bs file paths. The script then used the cron job scheduler to trigger the file at /var/tmp/crond to launch each 10 minutes. With that, gadgets that had put in the booby-trapped model of Free Obtain Supervisor have been completely backdoored.
After accessing an IP deal with for the malicious area, the backdoor launched a reverse shell that allowed the attackers to remotely management the contaminated gadget. Researchers from Kaspersky, the safety agency that found the malware, then ran the backdoor on a lab gadget to look at the way it behaved. “This stealer collects knowledge resembling system info, looking historical past, saved passwords, cryptocurrency pockets recordsdata, in addition to credentials for cloud providers (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure),” the researchers wrote in a report on Tuesday. “After accumulating info from the contaminated machine, the stealer downloads an uploader binary from the C2 server, saving it to /var/tmp/atd. It then makes use of this binary to add stealer execution outcomes to the attackers’ infrastructure.”
