Kaspersky has unveiled a long-running malicious campaign involving a supply chain attack on Linux systems, where cybercriminals distributed a backdoor via compromised versions of Free Download Manager software. Victims, located globally, unknowingly downloaded the tainted software from the official website, leading to data theft and potential breaches of sensitive information.
14 September 2023 – Kaspersky, the renowned cybersecurity firm, has unveiled a malicious campaign that has been ongoing for a minimum of three years. In this campaign, threat actors employed a Linux backdoor, delivered through a compromised version of the popular Free Download Manager software. Victims were infected when downloading the software from the official website, suggesting a possible supply chain attack. The malware variants used in this operation were initially detected as far back as 2013, with victims scattered across countries including Brazil, China, Saudi Arabia, and Russia.
This newly identified malicious campaign by Kaspersky focuses on targeting Linux systems. Here, cybercriminals deployed a backdoor, essentially a type of Trojan, onto victims’ devices via tainted versions of the widely-used Free Download Manager software. Once a device is infected, the attackers’ objectives include exfiltrating critical information, encompassing system details, browsing history, saved passwords, cryptocurrency wallet files, and even credentials for cloud services like Amazon Web Services or Google Cloud.
Kaspersky’s telemetry indicates that victims of this extensive operation span the globe, with incidents reported in Brazil, China, Saudi Arabia, and Russia, among other countries.
One notable aspect of this campaign is the suspicion that it represents a supply chain attack. During Kaspersky’s investigation into installation guides for Free Download Manager on Linux computers available on platforms like YouTube, instances were discovered where video creators inadvertently demonstrated the initial infection process. Clicking the download button on the official website resulted in the unwitting download of a malicious version of Free Download Manager. In contrast, other users managed to acquire a clean and legitimate version of the software. This suggests that the malware developers may have scripted the malicious redirection to occur probabilistically or based on the digital fingerprint of potential victims.
Kaspersky’s research reveals that this campaign persisted for at least three years, spanning from 2020 to 2022. The malicious package distributed the Free Download Manager version released in 2020. Over this period, there were discussions on forums such as StackOverflow and Reddit concerning issues linked to the compromised software distribution. However, users were unaware that these problems were stemming from malicious activity.
It’s essential to emphasize that while variants of the analyzed backdoor have been detectable by Kaspersky solutions for Linux since 2013, there’s a widespread misconception that Linux is impervious to malware. This misbelief leaves numerous Linux systems without adequate cybersecurity protection, rendering them attractive targets for cybercriminals.
Georgy Kucherin, a security expert at Kaspersky, stated, “Essentially, the Free Download Manager case highlights the challenge of spotting an ongoing cyberattack on a Linux system with the naked eye. Therefore, it’s essential for Linux-based computers, including both desktops and servers, to implement reliable and effective security measures.”
Kaspersky recommends the following security measures to safeguard against Linux-based threats and other types of cyberattacks:
- Utilize a proven endpoint security solution such as Kaspersky Endpoint Security for Business, equipped with behavior-based detection and anomaly control capabilities.
- Implement Kaspersky Embedded Systems Security for optimized security in embedded Linux-based systems, devices, and scenarios, ensuring compliance with rigorous regulatory standards.
- Employ Kaspersky Digital Footprint Intelligence to monitor shadow resources and swiftly identify related threats, particularly since stolen credentials may surface on the dark web.