Technology @lemmy.ml TheAnonymouseJoker @lemmy.ml 9 mo. ago

Trojanized Free Download Manager found to contain a Linux backdoor (FDM's response in post text below) [Securelist]

securelist.com Trojanized Free Download Manager found to contain a Linux backdoor

Kaspersky researchers analyzed a Linux backdoor disguised as Free Download Manager software that remained under the radar for at least three years.

From https://www.freedownloadmanager.org/blog/?p=664:

It appears that a specific web page on our site was compromised by a Ukrainian hacker group, exploiting it to distribute malicious software. Only a small subset of users, specifically those who attempted to download FDM for Linux between 2020 and 2022, were potentially exposed. It’s estimated that much less than 0.1% of our visitors might have encountered this issue. This limited scope is probably why the issue remained undetected until now. Intriguingly, this vulnerability was unknowingly resolved during a routine site update in 2022.

privatelife - privacy, security, freedom advocacy @lemmy.ml TheAnonymouseJoker @lemmy.ml 9 mo. ago

Trojanized Free Download Manager found to contain a Linux backdoor (FDM's response in post text below) [Securelist]

securelist.com /backdoored-free-download-manager-linux-malware/110465/

Linux @programming.dev abobla @lemm.ee 9 mo. ago

Free Download Manager backdoored – a possible supply chain attack on Linux machines

securelist.com /backdoored-free-download-manager-linux-malware/110465/

TechNews @radiation.party irradiated @radiation.party

BOT

9 mo. ago

[HN] Free Download Manager backdoored – a possible supply chain attack on Linux

securelist.com /backdoored-free-download-manager-linux-malware/110465/

5 comments

How they can know the hacker group, they left a business card?
- The Kaspersky analysis noted that the malware contained comments in the shell scripts written in Ukrainian and Russian, and used malware components detected in previous malware campaigns since 2013 that presumably have been attributed to a specific group.
  
  FTA:
  
  Meanwhile, the postinst script contains comments in Russian and Ukrainian, including information about improvements made to the malware, as well as activist statements. They mention the dates 20200126 (January 26, 2020) and 20200127 (January 27, 2020).
  
  ...
  
  Having established how the infected Free Download Manager package was distributed, we decided to check whether the implants discovered over the course of our research have code overlaps with other malware samples. It turned out that the crond backdoor represents a modified version of a backdoor called Bew. Kaspersky security solutions for Linux have been detecting its variants since 2013.
  
  ...
  
  The Bew backdoor has been analyzed multiple times, and one of its first descriptions was published in 2014. Additionally, in 2017, CERN posted information about the BusyWinman campaign that involved usage of Bew. According to CERN, Bew infections were carried out through drive-by downloads.
  
  As for the stealer, its early version was described by Yoroi in 2019. It was used after exploitation of a vulnerability in the Exim mail server.
- How do actors detect other actors? Ever heard of how Team Blue ops work?
  
  Until yesterday they even didn't know that they were hacked for years, then cleaned the file by accident when doing automatic updates; now they know who did that. Seems a way to shift blame