In an alarming disclosure by Securelist.com for Linux users, a Debian package associated with the popular ‘Free Download Manager’ has been found to be infected by malware. This malicious software, lurking in the deb package, poses a significant security threat to unsuspecting users.
Over the past few years, Linux machines have increasingly become a prime target for various threat actors. Shockingly, Securelist‘s telemetry data shows that in the first half of 2023 alone, a staggering 260,000 unique Linux samples were associated with malware and other malicious activities.
The root of this issue lies in a Debian repository linked to the domain ‘deb.fdmpkg[.]org.’ On visiting this domain in a web browser, users encounter a seemingly harmless webpage. However, beneath this façade, trouble brews. This subdomain claims to host a Debian repository for ‘Free Download Manager,’ a well-known software used by many.
Upon further investigation, the team discovered a Debian package for ‘Free Download Manager’ available for download from the ‘https://deb.fdmpkg[.]org/freedownloadmanager.deb‘ URL. This package contained an infected ‘postinst’ script executed during installation. This script deposits two ELF files in ‘/var/tmp/crond’ and ‘/var/tmp/bs’ directories, establishing persistence through a cron task stored in ‘/etc/cron.d/collect.’ This task launches the ‘/var/tmp/crond’ file every 10 minutes.
It’s crucial to note that the infected package dates back to January 24, 2020. The postinst script contains comments in Russian and Ukrainian, providing insights into the malware’s evolution and the attackers’ motivations.
Once installed, the package unleashes an executable, ‘/var/tmp/crond,’ which acts as a backdoor. It’s worth mentioning that this executable doesn’t rely on external libraries but invokes syscalls with the statically linked dietlibc library to access the Linux API.
Upon startup, the backdoor initiates a DNS request for a hex-encoded 20-byte string at ‘<hex-encoded 20-byte string>.u.fdmpkg[.]org.’ In response, it receives two IP addresses, revealing the address and port of a secondary Command and Control (C2) server. This nefarious communication protocol can either be SSL or TCP, depending on the connection type. If SSL is used, ‘/var/tmp/bs’ is launched for further communications; otherwise, the crond backdoor itself creates a reverse shell.
Delving deeper into the attacker’s tactics, the team also discovered that the crond backdoor spawns a reverse shell. This insidious stealer collects an array of sensitive data, including system information, browsing history, saved passwords, cryptocurrency wallet files, and credentials for cloud services like AWS, Google Cloud, Oracle Cloud Infrastructure, and Azure.
Subsequently, the stealer downloads an uploader binary from the C2 server, storing it in ‘/var/tmp/atd.’ This binary is then employed to transmit the stolen data to the attackers’ infrastructure, completing their sinister operation.
Surprisingly, the official website seems doesn’t host the malware; randomly selected Linux users are redirected to the compromised deb file. There are a few posts found on Reddit and StackOverflow where users reported suspicious behaviour of Free Download Manager between 2020 and 2022.
I would recommend you to immediately uninstall the ‘Free Download Manager’ Debian package if installed.
Update Oct 4, 2023: The FDM team discovered and fixed the issue. You can read the official statement here. In addition, a new bash script is also introduced by the team to check whether your system is already infected. You can find the script here. Give it executable permission and run from the command line.