A new Linux malware masquerading as a Gnome shell extension and designed to spy on unsuspecting Linux desktop users was discovered by Intezer Labs’ researchers in early July.

“Evil Gnome’s functionalities include desktop screenshots, file stealing, allowing capturing audio recording from the user’s microphone and the ability to download and execute further modules,” Intezer researchers found. Evil Gnome starts life as a self-contained file that consists of 522 lines of text – what’s called a shell script because it’s designed to run directly inside a Linux terminal window, known colloquially as a ‘shell’ – followed by a compressed blob of data that carries the rest of the malware along with it.

According to the researchers, the implant is delivered in the form of a self-extracting archive shell script created with ‘makeself,’ a small shell script that generates a self-extractable compressed tar archive from a directory.

Evil Gnome’s Spyware Modules

The Spy Agent of Evil Gnome contains five malicious modules called “Shooters,” as explained below:

  • ShooterSound– this module uses Pulse Audio to capture audio from the user’s microphone and uploads the data to the operator’s command-and-control server.
  • ShooterImage– this module uses the Cairo open-source library to captures screenshots and uploads them to the C&C server. It does so by opening a connection to the XOrg Display Server, which is the backend to the Gnome desktop.
  • ShooterFile– this module uses a filter list to scan the file system for newly created files and uploads them to the C&C server.
  • ShooterPing– the module receives new commands from the C&C server, like download and execute new files, set new filters for file scanning, download and set new runtime configuration, exfiltrate stored output to the C&C server, and stop any shooter module from running.
  • ShooterKey– this module is unimplemented and unused, which most likely is an unfinished keylogging module.

All the traffic sent to and from the malware’s C2 servers is encrypted and decrypted by Evil Gnome with the RC5 symmetric block cipher using the same key with the help of a variant of the RC5Simple open-source library.

Possible similarities between Evil Gnome and Gamaredon Hacking Group

Furthermore, the researchers also found connections between EvilGnome and Gamaredon Group, an alleged Russian threat group that has been active since at least 2013 and has targeted individuals working with the Ukrainian government.

  • EvilGnome attackers are also using ‘. space’ TTLD for their domains, just as the Gamaredon Group.
  • EvilGnome employs techniques and modules like the use of SFX, persistence with task scheduler, and the deployment of information-stealing tools that remind of Gamaredon Group’s Windows tools.
  • The EvilGnome malware developers and the Gamaredon Group are connected by the use of the same hosting provider as Intezer researchers found, as well as by Evil Gnome’s use of C2 servers connected to domains associated to the Russian threat group.
  • EvilGnome uses a hosting provider that has been used by Gamaredon Group for years and continues to be used by it.
  • EvilGnome also found to be operating on an IP address that was controlled by the Gamaredon group two months ago.

How to Detect EvilGnome Malware?

To check if your Linux system is infected with the EvilGnome spyware, you can look for the “gnome-shell-ext” executable in the “~/.cache/gnome-software/gnome-shell-extensions” directory.

For any Cyber Security information contact help@theweborion.com