Linux systems are being targeted by a new backdoor spyware, dubbed EvilGnome because it disguises itself as a Gnome extension, reports security company Intezer.
Intezer believe "this is a test version that was uploaded to VirusTotal (which analyse suspicious files and URLs to detect types of malware), perhaps by mistake. The implant contains an unfinished keylogger functionality, comments, symbol names and compilation metadata which typically do not appear in production versions. EvilGnome’s functionalities include desktop screenshots, file stealing, allowing capturing audio recording from the user’s microphone and the ability to download and execute further modules."
An attack begins with spear-phishing emails. Once opened, "the setup script installs the agent to ~/.cache/gnome-software/gnome-shell-extensions/, in an attempt to masquerade itself as a Gnome shell extension. Gnome shell extensions allow tweaking the Gnome desktop and add functionalities ... Persistence is achieved by registering gnome-shell-ext.sh to run every minute in crontab. Finally, the script executes gnome-shell-ext.sh, which in turn launches the main executable gnome-shell-ext."
EvilGnome contains within it five malicious modules known as Shooters:
ShooterSound captures audio from the user microphone and uploads to C2
ShooterImage captures screenshots and uploads to C2
ShooterFile scans the file system for newly created files and uploads them to C2
ShooterPing receives new commands from C2
ShooterKey unimplemented and unused, most likely an unfinished keylogging module
Linux users can check for EvilGnome by looking for the "gnome-shell-ext" executable in the "~/.cache/gnome-software/gnome-shell-extensions" directory. The spyware is so far 'flying under the radar' of cyber security products, so refer to the Intezer report to find out how to block the necessary Command & Control IP addresses (see the IOC section).
Intezer conclude their report by stating: "EvilGnome is a rare type of malware due to its appetite for Linux desktop users. Throughout this (report), we have presented detailed infrastructure-related evidence to connect EvilGnome to the actors behind the Gamaredon Group. We believe this is a premature test version. We anticipate newer versions to be discovered and reviewed in the future, which could potentially shed more light into the group’s operations."
