Jump to content

EvilGnome: A New Backdoor Implant Spies On Linux Desktop Users


securitybreach

Recommended Posts

securitybreach

Security researchers have discovered a rare piece of Linux spyware that's currently fully undetected across all major antivirus security software products, and includes rarely seen functionalities with regards to most Linux malware, The Hacker News learned.

 

It's a known fact that there are a very few strains of Linux malware exist in the wild as compared to Windows viruses because of its core architecture and also due to its low market share, and also many of them don't even have a wide range of functionalities.

 

In recent years, even after the disclosure of severe critical vulnerabilities in various flavors of Linux operating systems and software, cybercriminals failed to leverage most of them in their attacks.

 

Instead, a large number of malware targeting Linux ecosystem is primarily focused on cryptocurrency mining attacks for financial gain and creating DDoS botnets by hijacking vulnerable servers.

 

However, researchers at security firm Intezer Labs recently discovered a new Linux backdoor implant that appears to be under development and testing phase but already includes several malicious modules to spy on Linux desktop users.

 

EvilGnome: New Linux Spyware

 

 

Dubbed EvilGnome, the malware has been designed to take desktop screenshots, steal files, capture audio recording from the user's microphone as well as download and execute further second-stage malicious modules...........

 

 

To check if your Linux system is infected with the EvilGnome spyware, you can look for the "gnome-shell-ext" executable in the "~/.cache/gnome-software/gnome-shell-extensions" directory....

https://thehackernew...me-spyware.html

  • Like 1
Link to comment
Share on other sites

Okay, dumb question. I thought something like what's described above would need user to run chgmod to make the shell script executable. I'm sure I'm missing something, but can someone clue me in?

Link to comment
Share on other sites

securitybreach

Just because you are running Linux doesn't mean that you can just run any random thing. The user is always the weakest link in security.

  • Like 3
Link to comment
Share on other sites

I have a couple of GNOME Shell Extensions but I get them from the GNOME project's website. I wouldn't be installing stuff from a phishing scheme or out on the Web.

  • Like 1
Link to comment
Share on other sites

securitybreach

I have a couple of GNOME Shell Extensions but I get them from the GNOME project's website. I wouldn't be installing stuff from a phishing scheme or out on the Web.

 

Well things like this do not target people like us..

Link to comment
Share on other sites

Hmm I do not seem to be able to find the “~/.cache/gnome-software/gnome-shell-extensions” directory. :228823: So it looks like Window Maker users should be safe from this :Muahaha:

  • Like 1
Link to comment
Share on other sites

A GNOME user might add this crap as a Shell Extension from a dodgy website. GNOME is the default in quite a few distros including commercial ones like Red Hat.

However this malware only masquerades as a GNOME Shell Extension. It could affect anyone who runs a script in an email or gets and executes a download from a hacked site.

For most knowledgeable Linux users it isn't that much of a threat but we have to admit that just because you run Linux you can't do any dam' thing you please and stay safe.

Edited by raymac46
Link to comment
Share on other sites

securitybreach

It's funny that Patrick got tired of Gnome so he completely removed it from his distro.

 

"After long consideration, Pat Volkerding has removed GNOME from Slackware. Pat mentions in the -current ChangeLog that GNOME takes a lot of time to package, so this move should allow more time to be spent on the rest of Slackware."

 

From the changelog: "Please do not incorrectly interpret any of this as a slight against GNOME itself, which (although it does usually need to be fixed and polished beyond the way it ships from upstream more so than, say, KDE or XFce) is a decent desktop choice."

https://tech.slashdo...-from-slackware

 

Granted that was 14 years ago but still, I found it funny. :hysterical:

  • Like 2
Link to comment
Share on other sites

Well since I am using GNOME 3 on my Thinkpad's Debian Buster install I did check and I have no problems either.

 

Same in Buster GNOME here. Anyway, I like GNOME Shell with no extensions.

Link to comment
Share on other sites

siduction has given up on Gnome too.

 

some of the desktop environments we ship have had no maintainer for a while. For the next release (which is not far away), we stop releasing images for the desktop environments GNOME, MATE and LXDE. That leaves us with images for KDE Plasma, Xfce, Cinnamon and LXQt. We also keep releasing the minimal entry points noX and Xorg.
Link to comment
Share on other sites

V.T. Eric Layton

> Pat Volkerding has removed GNOME from Slackware.

 

Yup. That was just before my Slackware time. By the time I became a full-time Slacker, KDE was the "official" DE. You could install a modified Gnome package that was SlackBuilt just for Slackware... I can't remember the name of it, but I tried it once. Wasn't impressed and went back to KDE (until 4.x happened).

  • Like 1
Link to comment
Share on other sites

As a new Linux user I was totally freaked out by text based installers. I had to use one to install Vector Linux 4.8 on my old Compaq laptop. That was the only distro that could keep the fan running with the Compaq's archaic APM system.

Then I got an off lease Dell Optiplex GX270 and started distro farming. Urmas and Eric talked me through a Slackware install and since I knew about Vector Linux it worked. Back then Bruno had a lot of tips about Slackware and there was some sort of dependency checker called SwareT. So I made out OK. Just couldn't wrap my head around KDE back then so it was on to the next distro. If Xfce had been the default desktop, I might be a Slacker to this day. Or I might have discovered Arch Linux a lot sooner.

  • Like 2
Link to comment
Share on other sites

V.T. Eric Layton

> Back then Bruno had a lot of tips about Slackware and there was some sort of dependency checker called SwareT.

 

Well, SwareT didn't have any dependency checking capabilities. It was just another updater application. Currently, Slackware uses Slackpkg for that purpose. You don't even have to worry about dependency issues in Slack as long as you stick to software in the official repos, as with most Linuxes. However, when trying to install outside apps/programs, dependency does come into play. I've never really had any serious trips into Dependency Heck with Slackware, though.

 

SwareT was a great little updater, though. Sadly, it wend south with the advent of Slack 12 or 13, I think.

  • Like 1
Link to comment
Share on other sites

As a new Linux user I was totally freaked out by text based installers.

 

I made my first install of Arch with two pc's running.Installing on one and reading the Arch Beginers Install Guide on the other. Took me a long time as I had never partitioned a drive from the cli and had never even heard of 99% of the other stuff. My first stumbling block was "what the heck is nano" Took me all day and half the night to get to rebooting only to find that my Arch would not boot. So I tried again the next day and have been running smoothly ever since :whistling:

  • Like 1
Link to comment
Share on other sites

securitybreach

Yeah, it can be a daunting task if you are not familiar with the command line. I didn't have an issue as I was using Slackware previously. B)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...