Free Download Manager Site Compromised to Distribute Linux Malware to Users for 3+ Years:
A download manager site served Linux users malware that stealthily stole passwords and other sensitive information for more than three years as part of a supply chain attack.
The modus operandi entailed establishing a reverse shell to an actor-controlled server and installing a Bash stealer on the compromised system. The campaign, which took place between 2020 and 2022, is no longer active.
"This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure)," Kaspersky researchers Georgy Kucherin and Leonid Bezvershenko said.
The website in question is freedownloadmanager[.]org, which, according to the Russian cybersecurity firm, offers a legitimate Linux software called "Free Download Manager," but starting in January 2020, began redirecting some users who attempted to download it to another domain deb.fdmpkg[.]org that served a booby-trapped Debian package.
It's suspected that the malware authors engineered the attack based on certain predefined filtering criteria (say, a digital fingerprint of the system) to selectively lead potential victims to the malicious version. The rogue redirects ended in 2022 for inexplicable reasons.
[...] It's not immediately clear how the compromise actually took place and what the end goals of the campaign were. What's evident is that not everyone who downloaded the software received the rogue package, enabling it to evade detection for years.
"While the campaign is currently inactive, this case of Free Download Manager demonstrates that it can be quite difficult to detect ongoing cyberattacks on Linux machines with the naked eye," the researchers said.
"Thus, it is essential that Linux machines, both desktop and server, are equipped with reliable and efficient security solutions."
[EDITOR'S NOTE: We have been informed by the Free Download Manager Team that all their sites are now secure. This does not in any way affect the content of this story which covers a 3 year period beginning in 2020. JR, 18092023-06:32UTC]
(Score: 1, Insightful) by Anonymous Coward on Sunday September 17 2023, @12:27AM
It's time to face facts. Our fantastically rich and powerful oligarchs didn't get where they are by exercising compassion and responsibility toward their fellow human beings; they got there by doing the exact opposite.
(Score: 0) by Anonymous Coward on Sunday September 17 2023, @05:07PM (5 children)
And if you're saying Linux users should just stick to software from their walled garden, you should be using Apple stuff instead.
(Score: 0) by Anonymous Coward on Monday September 18 2023, @12:31AM (3 children)
Look over in the submission queue, there's a new story submitted by "Free Download Manager" or related--attempting to update this front page item.
(Score: 2) by janrinok on Monday September 18 2023, @08:26AM (2 children)
Updated - thank you.
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 0) by Anonymous Coward on Monday September 18 2023, @03:33PM (1 child)
Fast work (updating TFA)!
Personally, I wouldn't trust that update any further than I could throw it...unless there was some way to verify who sent it?
(Score: 3, Informative) by janrinok on Monday September 18 2023, @03:41PM
No, I wouldn't trust it much either, which is why I did not change the content. I merely acknowledged their comment.
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 2) by Freeman on Monday September 18 2023, @01:46PM
The difference being is that the likes of Microsoft would be covering up their involvement and waiting as long as possible to notify anyone about any issues.
See, for reference: https://arstechnica.com/security/2023/08/microsoft-cloud-security-blasted-for-its-culture-of-toxic-obfuscation/ [arstechnica.com]
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0, Spam) by FDM Team on Wednesday September 20 2023, @04:17PM
Dear Community,
Here is the second update regarding the issue: We have prepared a bash script that you can use to check the presence of the malware in your system.
Please review our instructions on our official page: https://www.freedownloadmanager.org/blog/?p=664 [freedownloadmanager.org]
We once again sincerely apologize for any inconvenience that might have been caused.