Free Download Manager site has been redirecting Linux users to malware for years! A reported attack on the Free Download Manager supply chain redirected Linux users to a malicious Debian package repository that was becoming an install of information theft malware.
The malware used in this campaign creates a reverse shell on a C2 server and installs a Bash stealer that collects user data and account credentials.
Kaspersky discovered the potential supply chain breach during its suspicious domain investigation, identifying that the campaign has been ongoing for over three years.
Although the cybersecurity company informed the software vendor of the issue, it did not receive a response, so the exact means of the breach remain unclear.
See also: WiKI-Eve: Steals passwords over WiFi
Kaspersky reports that the official download page hosted at "freedownloadmanager[.]org" sometimes redirects those trying to download the Linux version to a malicious domain at "deb.fdmpkg[.]org", which hosts a malicious Debian package.
Because this redirection occurs only in some cases and not in all download attempts from the official website, it is assumed that the malicious codes targeted users with dangerous downloads based on specific but unknown criteria.
Kaspersky observed several posts on social media, such as Reddit, StackOverflow, YouTube, and Unix Stack Exchange, where the malicious domain was spread as a reliable source for obtaining the Free Download Manager tool.
In addition, a post on the official Free Download Manager 2021 website shows how an infected user points to the malicious domain "fdmpkg.org" and is told that it is not related to the official project.
See also: Data theft surpasses ransomware as the biggest concern for IT professionals
On these sites, users have been discussing problems with the software for the past three years, exchanging opinions about suspicious files and cron jobs it was creating, without realising they were infected with malware.
While Kaspersky states that redirection stopped in 2022, old YouTube videos [1, 2] clearly display download links to the official Free Download Manager, redirecting some users to a malicious URL http://deb.fdmpkg[.]org instead of freedownloadmanager.org.
The Debian malicious package, which is used to install software on Debian-based Linux distributions, including Ubuntu and its derivatives, contains a malicious information stealing script and a backdoor crond backdoor that creates a reverse shell from the C2 server.
The crond component creates a new cron task on the system that runs a stealer script at system startup.
Kaspersky has discovered that the crond backdoor is a variant of the 'Bew' malware that has been circulating since 2013, with the Bash stealer detected in free space and first analysed in 2019. However, the tool is not original.
The version of Bash Stealer, analyzed by Kaspersky, collects system information, browsing history, passwords stored in browsers, RMM control keys, shell history, cryptocurrency wallet data and account credentials for the services AWS, Google Cloud, Oracle Cloud Infrastructure and Azure cloud.
See also: Phishing campaign targeted 40 companies in Colombia - Hackers installed Remcos malware
The collected data is uploaded to the hackers' server, where it can be used to carry out further attacks or sold to other hackers.
If you have installed the Linux version of Free Download Manager between 2020 and 2022, you should check and see if the malicious version is installed.
To achieve this, search for the following files caused by the malware and, if found, delete them.
- /etc/cron.d/collect
- /var/tmp/crond
- /var/tmp/bs
Despite the "age" of the malicious tools used in these attacks, signs of suspicious activity on infected computers and numerous reports on social media, the Debian malicious package remained undetected for years.
Kaspersky says this is due to a combination of factors, including the rarity of malware on Linux and the limited spread due to only a portion of users being redirected to the unofficial URL.
Source of information: bleepingcomputer.com
