A new Linux malware masquerading as a Gnome shell extension and designed to spy on unsuspecting Linux desktop users was discovered by Intezer Labs’ researchers in early July.
The backdoor implant dubbed EvilGnome is currently not detected by any of the anti-malware engines on VirusTotal and comes with several capabilities very rarely seen in Linux malware strains.
EvilGnome is delivered with the help of self-extractable archive created using the makeself shell script, with all the metadata generated when creating the malicious payload archive bundled within its headers, possibly by mistake.
The infection is automated with the help of an autorun argument left in the headers of the self-executable payload which instructs it to launch a setup.sh that will add the malware’s spy agent to the ~/.cache/gnome-software/gnome-shell-extensions/ folder, attempting to sneak onto the victim’s system camouflaged as a Gnome shell extension.
EvilGnome will also add a gnome-shell-ext.sh shell script to the compromised Linux machine’s crontab, a script designed to check every minute if the spyware agent is still running.
The gnome-shell-ext.sh is executed during the final stage of the infection process, leading to the gnome-shell-ext spyware agent also being launched.
EvilGnome’s configuration is stored within the rtp.dat file also bundled within the self-extractable payload archive and it allows the backdoor to get its command and control (C2) server’s IP address.
EvilGnome also seems to be connected with the Russian threat group known as Gamaredon Group, an advanced persistent threat (APT) group known to have been active since at least 2013 as per Palo Alto Networks’ Unit 42 threat researchers.
While in the beginning Gamaredon Group mostly relied on off-the-shelf tools, it has slowly moved into developing custom malware implants after increasing their technical expertise.
Submitted by: Arnfried Walbrecht