Newly discovered EvilGnome backdoor targets Linux users

• Researchers noted that EvilGnome comes with five modules including ShooterAudio, ShooterImage, ShooterFile, ShooterPing, and ShooterKey.
• This Linux malware is capable of spying on users, taking desktop screenshots, capturing audio recordings from the user’s microphone, stealing files, and downloading additional modules.

Researchers from Intezer Labs uncovered a new backdoor dubbed ‘EvilGnome’ that targets Linux users by impersonating a Gnome shell extension.

What are the capabilities of EvilGnome?

This Linux malware is capable of spying on users, taking desktop screenshots, capturing audio recordings from the user’s microphone, stealing files, and downloading additional modules.

This malware is currently not detected by any of the anti-malware products on VirusTotal.

“The implant contains an unfinished keylogger functionality, comments, symbol names and compilation metadata which typically do not appear in production versions,” researchers said.

What are the modules deployed by the malware?

Researchers noted that EvilGnome comes with five modules including ShooterAudio, ShooterImage, ShooterFile, ShooterPing, and ShooterKey.

• ShooterAudio module is designed to capture audio from the user’s microphone and upload to its C&C server.
• ShooterImage module captures screenshots and uploads to its C&C server.
• ShooterFile module is designed to scan the file system for newly created files.
• ShooterPing receives new commands from the C&C server, exfiltrates data, and downloads and executes additional payloads.
• ShooterKey module is unimplemented and is most likely an unfinished keylogging module.

More details on the malware

EvilGnome backdoor is distributed via self-extractable archive created using the makeself shell script, with all the metadata generated when creating the malicious payload archive bundled within its headers.

• EvilGnome will also add a gnome-shell-ext.sh shell script to the compromised Linux desktop’s crontab, in order to ensure every minute that the spyware agent is running.
• The gnome-shell-ext.sh script is executed during the final stage of the infection process, thereby launching the gnome-shell-ext spyware agent.
• The malware’s configuration is stored within the rtp.dat file, which is bundled within the self-extractable payload archive allowing the backdoor to get its C&C server’s IP address.

All the traffic sent to and from the malware’s C&C servers is encrypted and decrypted with the RC5 symmetric block cipher using the same key with the help of a variant of the RC5Simple open-source library.

Connections with Gamaredon Group

• The operators of EvilGnome use a hosting provider that has been used by Gamaredon Group for years.
• EvilGnome malware runs on an IP address that was controlled by the Gamaredon group two months ago.
• An SSH server served on port 3436 both on EvilGnome C&C and Gamaredon’s C&C server.

“The techniques and modules employed by EvilGnome—that is the use of SFX, persistence with task scheduler and the deployment of information stealing tools—remind us of Gamaredon Group’s Windows tools,” researchers said.