A supply chain attack targeting Linux users through the download manager site freedownloadmanager.org has been ongoing for at least three years [6], according to Kaspersky, a Russian cybersecurity firm [5].

Description

The attack involves the use of a malicious installer for the Free Download Manager software [7], which is downloaded from the official website [3] [7]. Once infected [3] [7] [9], the attackers aim to steal sensitive information such as system details [7], browsing history [1] [6] [7] [8], passwords [1] [2] [5] [6] [7] [8], and cryptocurrency wallet files [2] [6] [7]. Victims of this campaign have been identified in various countries [7], including Brazil [4] [7], China [7], Saudi Arabia [7], and Russia [5] [7].

The attack involves redirecting users to a malicious domain called deb.fdmpkg.org [1], where a booby-trapped Debian package is served [4]. This package contains a post-install script that drops two ELF files [4], including a backdoor that establishes a reverse shell to a command-and-control server [4]. The compromised software embeds a script in users’ systems [2], creating an unauthorized backdoor that allows hackers to gain remote access and collect sensitive information such as passwords, browser histories [2], and credentials for cloud services [1]. The malware also collects system data and browsing history. Some users are even redirected to known compromised domains instead of the malicious site [2].

The attack utilizes a backdoor known as crond [6], which creates a new cron job on the system [8]. The stolen information is then uploaded to the attacker’s server [6] [9]. The attack was discovered by Kaspersky as part of a larger supply chain operation. The means of compromise remain unclear as the software vendor has not responded to reports [8], and attempts to communicate with the website’s administrators have been unsuccessful [2].

The campaign was active until the redirection stopped and was promoted on various social media platforms. Although the attack remained undetected for years [8], old YouTube videos show download links redirecting users to the malicious URL [8]. The rarity of malware on Linux and limited spread contributed to the difficulty in detecting ongoing cyberattacks on Linux machines.

It is recommended to equip Linux machines with reliable security solutions [6]. Users who installed the Linux version of Free Download Manager between 2020 and 2022 should check for the presence of the malicious version [8]. The malware’s origin can be traced back to a version called Bew [2], which was first identified in 2014 [2]. The campaign ended in 2022 for unknown reasons [4], highlighting the difficulty of detecting ongoing cyberattacks on Linux machines and emphasizing the importance of reliable security solutions for Linux systems [4].

Conclusion

This supply chain attack targeting Linux users through freedownloadmanager.org has had significant impacts, with sensitive information being stolen from victims in various countries. The attack highlights the need for reliable security solutions on Linux machines and the importance of staying vigilant against ongoing cyberattacks. The campaign’s end in 2022 raises questions about the reasons behind it and underscores the ongoing challenges in detecting and mitigating cyber threats on Linux systems.

References

[1] https://www.threatshub.org/blog/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/
[2] https://www.fortypoundhead.com/showcontent.asp?artid=51106
[3] https://securitymea.com/2023/09/13/kaspersky-reveals-three-year-long-suspected-supply-chain-attack-targeting-linux/
[4] https://patabook.com/technology/2023/09/14/free-download-manager-site-compromised-to-distribute-linux-malware-to-users-for-3-years/
[5] https://secoperations.wordpress.com/2023/09/15/free-download-manager-site-compromised-to-distribute-linux-malware-to-users-for-3-years/
[6] https://thehackernews.com/2023/09/free-download-manager-site-compromised.html
[7] https://www.bizbahrain.com/kaspersky-reveals-three-year-long-suspected-supply-chain-attack-targeting-linux/
[8] https://www.redpacketsecurity.com/free-download-manager-site-redirected-linux-users-to-malware-for-years/
[9] https://vulners.com/thn/THN:93E45B93C0B9DCDFD166CBA3D46782AD