Delaware, USA – July 18, 2019 – A new modular backdoor for desktop Linux systems is developed by the Russian Gamaredon group and is not detectable by antivirus solutions. Intezer Labs researchers discovered the backdoor this month and published the analysis of the capabilities of EvilGnome malware, the modules of which, apparently, are still being developed by adversaries. Usually, Linux malware is developed for server attacks, since desktop Linux systems are relatively few, all the more interesting for what purposes the notorious APT group created this malware. EvilGnome is distributed as a self-extracting archive, which during installation is masked as a Gnome shell extension and adds a shell script to the crontab to achieve persistence. The detected sample contains 4 working modules, while the keylogger is under development and is disabled by default. The rest of the modules are capable of recording audio, taking screenshots, searching for new files and downloading it all to the attackers’ command-and-control server. Also, one of the modules receives new commands from the server and can download and install the additional payload. If the malware cannot communicate with the C&C server, it saves the stolen information in a folder on the infected system.
Intezer Labs analyzed the C&C infrastructure and found connections to the known infrastructure of the Gamaredon group. Techniques used by the malware also point to this APT group. The Gamaredon group appeared in 2013 and at first, did not use custom malware, but over time developed a number of cyber espionage tools, including Pterodo.
To detect the activity of a group, you can use the rules developed by Lee Archinal: https://tdm.socprime.com/tdm/info/2243/
You can also examine the techniques used by the group and find content for their detection in the Threat Detection Marketplace: https://tdm.socprime.com/att-ck/