Author Topic: New EvilGnome Backdoor Spies on Linux Users, Steals Their Files  (Read 18 times)

Offline Hardhead

  • Administrator
  • Hero Member
  • *****
  • Posts: 867
    • View Profile
Quote
By Sergiu Gatlan
July 17, 2019 01:28 PM

A new Linux malware masquerading as a Gnome shell extension and designed to spy on unsuspecting Linux desktop users was discovered by Intezer Labs' researchers in early July.

The backdoor implant dubbed EvilGnome is currently not detected by any of the anti-malware engines on VirusTotal [1, 2, 3] and comes with several capabilities very rarely seen in Linux malware strains.

"EvilGnome’s functionalities include desktop screenshots, file stealing, allowing capturing audio recording from the user’s microphone and the ability to download and execute further modules," Intezer researchers found.

"The implant contains an unfinished keylogger functionality, comments, symbol names and compilation metadata which typically do not appear in production versions."
Infection via self-extractable archives

EvilGnome is delivered with the help of self-extractable archive created using the makeself shell script, with all the metadata generated when creating the malicious payload archive bundled within its headers, possibly by mistake.

The infection is automated with the help of an autorun argument left in the headers of the self-executable payload which instructs it to launch a setup.sh that will add the malware's spy agent to the ~/.cache/gnome-software/gnome-shell-extensions/ folder, attempting to sneak onto the victim's system camouflaged as a Gnome shell extension.

https://www.bleepingcomputer.com/news/security/new-evilgnome-backdoor-spies-on-linux-users-steals-their-files/