The image below illustrates the infection chain. It then uses this binary to upload stealer execution results to the attackers’ infrastructure.” “After collecting information from the infected machine, the stealer downloads an uploader binary from the C2 server, saving it to /var/tmp/atd. “This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure),” the researchers wrote in a report on Tuesday. Researchers from Kaspersky, the security firm that discovered the malware, then ran the backdoor on a lab device to observe how it behaved. With that, devices that had installed the booby-trapped version of Free Download Manager were permanently backdoored.Īfter accessing an IP address for the malicious domain, the backdoor launched a reverse shell that allowed the attackers to remotely control the infected device.
The script then used the cron job scheduler to cause the file at /var/tmp/crond to launch every 10 minutes. The version available on the malicious domain contained a script that downloaded two executable files to the /var/tmp/crond and /var/tmp/bs file paths.
Starting in 2020, the same domain at times redirected users to the domain deb.fdmpkgorg, which served a malicious version of the app. The site, freedownloadmanagerorg, offered a benign version of a Linux offering known as the Free Download Manager. Getty Images | posteriori reader comments 108 withĪ download site surreptitiously served Linux users malware that stole passwords and other sensitive information for more than three years until it finally went quiet, researchers said on Tuesday.
0 kommentar(er)
