Stories
Slash Boxes
Comments

SoylentNews is people

posted by hubie on Saturday September 16 2023, @09:17PM   Printer-friendly
from the wget-is-safer dept.

Free Download Manager Site Compromised to Distribute Linux Malware to Users for 3+ Years:

A download manager site served Linux users malware that stealthily stole passwords and other sensitive information for more than three years as part of a supply chain attack.

The modus operandi entailed establishing a reverse shell to an actor-controlled server and installing a Bash stealer on the compromised system. The campaign, which took place between 2020 and 2022, is no longer active.

"This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure)," Kaspersky researchers Georgy Kucherin and Leonid Bezvershenko said.

The website in question is freedownloadmanager[.]org, which, according to the Russian cybersecurity firm, offers a legitimate Linux software called "Free Download Manager," but starting in January 2020, began redirecting some users who attempted to download it to another domain deb.fdmpkg[.]org that served a booby-trapped Debian package.

It's suspected that the malware authors engineered the attack based on certain predefined filtering criteria (say, a digital fingerprint of the system) to selectively lead potential victims to the malicious version. The rogue redirects ended in 2022 for inexplicable reasons.

[...] It's not immediately clear how the compromise actually took place and what the end goals of the campaign were. What's evident is that not everyone who downloaded the software received the rogue package, enabling it to evade detection for years.

"While the campaign is currently inactive, this case of Free Download Manager demonstrates that it can be quite difficult to detect ongoing cyberattacks on Linux machines with the naked eye," the researchers said.

"Thus, it is essential that Linux machines, both desktop and server, are equipped with reliable and efficient security solutions."

[EDITOR'S NOTE: We have been informed by the Free Download Manager Team that all their sites are now secure. This does not in any way affect the content of this story which covers a 3 year period beginning in 2020. JR, 18092023-06:32UTC]


Original Submission

 
This discussion was created by hubie (1068) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday September 18 2023, @12:31AM (3 children)

    by Anonymous Coward on Monday September 18 2023, @12:31AM (#1325107)

    Look over in the submission queue, there's a new story submitted by "Free Download Manager" or related--attempting to update this front page item.

  • (Score: 2) by janrinok on Monday September 18 2023, @08:26AM (2 children)

    by janrinok (52) Subscriber Badge on Monday September 18 2023, @08:26AM (#1325142) Journal

    Updated - thank you.

    --
    I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
    • (Score: 0) by Anonymous Coward on Monday September 18 2023, @03:33PM (1 child)

      by Anonymous Coward on Monday September 18 2023, @03:33PM (#1325192)

      Fast work (updating TFA)!

      Personally, I wouldn't trust that update any further than I could throw it...unless there was some way to verify who sent it?

      • (Score: 3, Informative) by janrinok on Monday September 18 2023, @03:41PM

        by janrinok (52) Subscriber Badge on Monday September 18 2023, @03:41PM (#1325193) Journal

        No, I wouldn't trust it much either, which is why I did not change the content. I merely acknowledged their comment.

        --
        I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.