Researchers at Intezer security have revealed a new backdoor directing Linux systems with the objective of spying on users.
The threat, dubbed EvilGnome, camouflages as a Gnome extension and seems associated to the Gamaredon Group, a supposed Russian threat actor. The examined sample seems to be a test version that was uploaded to VirusTotal accidentally.
The implant was found to comprise incomplete keylogging competences, as well as comments, symbol names and collecting metadata that isn’t usually found in production versions.
EvilGnome is able to take screenshots, steal files, capture audio recordings from the user’s microphone, and download and perform further modules.
The examination of EvilGnome has exposed a series of parallels with the Gamaredon Group, which has been active since at least 2013, and which is known for the directing of individuals possibly involved with the Ukrainian government.
The operators of EvilGnome use a hosting provider that the Gamaredon Group has been using for years, and were also observed serving SSH over port 3436 – which led to the discovery of a Gamaredon server also serving SSH over port 3436.
Furthermore, methods and components employed by EvilGnome are evocative of Gamaredon Group’s Windows tools, including the use of SFX, perseverance with task scheduler and the deployment of information stealers.
The new Linux implant is delivered in the form of a self-extracting archive shell script created with makeself, a small shell script that makes files look as shell scripts, many with a .run suffix. The operators did not remove metadata, which exposed that the sample was created on July 4.
“EvilGnome is a rare type of malware due to its appetite for Linux desktop users. […] We anticipate newer versions to be discovered and reviewed in the future, which could potentially shed more light into the group’s operations,” Intezer concludes.