A reported Free Download Manager supply chain attack redirected Linux users to a malicious Debian package repository that installed information-stealing malware.
The malware used in this campaign establishes a reverse shell to a C2 server and installs a Bash stealer that collects user data and account credentials.
Kaspersky discovered the potential supply chain compromise case while investigating suspicious domains, finding that the campaign has been underway for over three years.
Although the cybersecurity company informed the software vendor about it, it has not received a response, so the exact means of compromise remains blurry.
Direct downloads and redirections
Kaspersky says that the official download page hosted on "freedownloadmanager[.]org" would sometimes redirect those attempting to download the Linux version to a malicious domain at "deb.fdmpkg[.]org," which hosts a malicious Debian package.
Due to this redirection happening only in some cases and not in all instances of attempted downloads from the official site, it is hypothesized that scripts targeted users with malicious downloads based on specific but unknown criteria.
Kaspersky observed various posts on social media, Reddit, StackOverflow, YouTube, and Unix Stack Exchange, where the malicious domain was disseminated as a reliable source for getting the Free Download Manager tool.
Furthermore, a post on the official Free Download Manager website in 2021 illustrates how an infected user points out the malicious 'fdmpkg.org' domain and was told it is not affiliated with the official project.
On the same sites, users discussed problems with the software over the past three years, exchanging opinions about suspicious files and cron jobs it created, none realizing they were infected with malware.
While Kaspersky states that the redirection stopped in 2022, old YouTube videos [1, 2] clearly show download links on the official Free Download Manager, redirecting some users to malicious http://deb.fdmpkg[.]org URL rather than freedownloadmanager.org.
However, this redirection was not used for everyone, with another video from around the same time showing a user downloading the program from the official URL instead.
Deploying info-stealing malware
The malicious Debian package, which is used for installing software Debian-based Linux distributions, including Ubuntu and Ubuntu-based forks, drops a Bash information-stealing script and a crond backdoor that establishes a reverse shell from the C2 server.
The crond component creates a new cron job on the system that runs a stealer script upon system startup.
Kaspersky found that the crond backdoor is a variant of the 'Bew' malware in circulation since 2013, with the Bash stealer spotted in the wild and analyzed first in 2019. That said, the toolset isn't novel.
The Bash stealer version analyzed by Kaspersky collects system info, browsing history, passwords saved on browsers, RMM authentication keys, shell history, cryptocurrency wallet data, and account credentials for AWS, Google Cloud, Oracle Cloud Infrastructure, and Azure cloud services.
This collected data is then uploaded to the attackers' server, where it can be used to conduct further attacks or sold to other threat actors.
If you have installed the Linux version of the Free Download Manager between 2020 and 2022, you should check and see if the malicious version was installed.
To do this, look for the following files dropped by the malware, and if found, delete them:
- /etc/cron.d/collect
- /var/tmp/crond
- /var/tmp/bs
Despite the age of the malicious tools used in these attacks, the signs of suspicious activity on infected computers, and multiple social media reports, the malicious Debian package remained undetected for years.
Kaspersky says this is due to a combination of factors, including the rarity of malware on Linux and the limited spread due to only a portion of users being redirected to the unofficial URL.
Update 9/16 - Free Download Manager has told BleepingComputer it is actively working on fixing the issue, and has also released a statement for its community.
Comments
DeafMan1983 - 9 months ago
What is the h**l? Why does everyone say Linux is still safety? No penguins injured by bad hackers. My god we need to freeze hackers. I am shocking because your news I never got news. Now it happens with Linux. Ps shut up hackers! I would like to build high safe operating system with Linux/Unix. Please don't use "Hyper-Microsoft, Linus Torvalds! If he want use with Hyper-Microsoft then it happens virus spreading. I am very disappointed now. Because I never use Windows 10/11. It is very dangerous for me. I don't care about Windows 10/11. I really want to use Linux/BSD.
doctorzeus - 9 months ago
There is no "impenetrable"/"silver bullet" operating system when it comes to security. While Linux has less malware and arguably has a more secure application/auth stack, the user and software providers can still compromise all this..
E.g. Doesn't matter if you have the best security fence around your house money can buy if you leave the gate unlocked or let a delivery guy in who then proceeds to steal all your stuff..
FDM_Team - 9 months ago
This is Free Download Manager team. We want to acknowledge that we are aware of this issue and are actively investigating its history. While all links on the FDM website are currently functioning correctly, we are diligently studying the reports at this very moment. We've made an announcement on our website about it. Please find more details here: https://www.freedownloadmanager.org/blog/?p=664
DeafMan1983 - 9 months ago
Hi FDM_TEAM, thanks for explanation! But I never use fdmpkg files because i don't know fdm for Linux. Why do hackers always hurt poor penguins?
I hope you are good person for Linux users. I pray for Linux users.
FDM_Team - 9 months ago
Hi! Here is the second update regarding the issue. We have prepared a bash script that you can use to check the presence of the malware in your system.
Please review our instructions on our official page: https://www.freedownloadmanager.org/blog/?p=664
We once again sincerely apologize for any inconvenience that might have been caused.