Free Download Manager Linux Users Alert: Supply Chain Attack
Securelist has issued a concerning revelation for Linux users, unveiling that a Debian package associated with the widely-used ‘Free Download Manager’ contains malware, posing a substantial security risk to unsuspecting users.
Securelist’s telemetry data also demonstrates that within the first half of 2023 alone, an astounding 260,000 distinct Linux instances were linked to malware and other malicious activities.
Free Download Manager Debian Repository Infected
The root problem lies within a Debian repository linked to the domain
deb.fdmpkg[.]org. Upon visiting this web domain, users encounter an innocuous-looking webpage concealing malevolent intentions. This subdomain purports to host a Debian repository for the ‘Free Download Manager,’ a renowned software employed by many.
Upon closer scrutiny, our investigative team uncovered a Debian package for the ‘Free Download Manager’ available for download via the
https://deb.fdmpkg[.]org/freedownloadmanager.deb URL. This package concealed a compromised ‘postinst’ script that executes during installation. This script surreptitiously deposits two ELF files into
/var/tmp/bs directories, establishing persistence through a cron task stored in
/etc/cron.d/collect. This task triggers the
/var/tmp/crond file’s execution every 10 minutes.
It is essential to note that the infected package traces back to January 24, 2020. The ‘postinst’ script features comments in Russian and Ukrainian, offering insights into the malware’s evolution and the motivations of the attackers.
Bash Stealing Script
Upon installation, the package introduces an executable file,
/var/tmp/crond, serving as a backdoor. Notably, this executable operates independently of external libraries but engages syscalls with the statically linked dietlibc library to access the Linux API.
Upon initialization, the backdoor initiates a DNS request for a hex-encoded 20-byte string at
<hex-encoded 20-byte string>.u.fdmpkg[.]org. This request yields two IP addresses, disclosing the address and port of a secondary Command and Control (C2) server. This malevolent communication protocol may employ either SSL or TCP, contingent on the connection type. If SSL is utilized,
/var/tmp/bs is activated for further communications; otherwise, the crond backdoor itself generates a reverse shell.
Further delving into the attacker’s tactics, our team uncovered that the crond backdoor spawns a reverse shell. This stealthy infiltrator gathers an array of sensitive data, encompassing system information, browsing history, stored passwords, cryptocurrency wallet files, and credentials for cloud services such as AWS, Google Cloud, Oracle Cloud Infrastructure, and Azure.
Subsequently, the infiltrator downloads an uploader binary from the C2 server, storing it in
/var/tmp/atd. This binary is then employed to transmit the pilfered data to the attackers’ infrastructure, concluding their nefarious operation.
Remarkably, the official website does not host the malware; instead, select Linux users are redirected to the compromised deb file. A few reports on Reddit and StackOverflow have surfaced, with users noting suspicious behavior from Free Download Manager between 2020 and 2022.
We strongly advise immediate uninstallation of the ‘Free Download Manager’ Debian package if it is presently installed on your system. The FDM developers have also released a script for detecting potential infections on Linux devices following this reported supply chain attack.
The sources for this article include a story from DebugPointNews.