EvilGnome, new malware spies and puts backdoors to Linux users

Earlier this month security researchers discovered a rare piece of Linux spyware which is currently not fully detected in all major antivirus and includes rarely seen functionality regarding to most of the malware seen on Linux.

And is that as many of you must know that malware in Linux literally a small fraction of the cases that are known in Windows, due to its basic structure and also its low market share.

Various malicious programs in the Linux environment mainly focus on cryptography for financial gain and creating DDoS botnets by hijacking vulnerable servers.

In recent years, even after the revelation of serious critical vulnerabilities in various types of Linux operating systems and software, hackers failed to exploit most of them in their attacks.

Instead they prefer to launch the well-known cryptocurrency mining attacks for financial gain and the creation of DDoS botnets by hijacking vulnerable servers.

About EvilGnome

However, researchers at security firm Intezer Labs recently discovered a new malware implant that affects Linux distributions that appears to be under development, but it already includes several malicious modules to spy on Linux desktop users.

Nicknamed EvilGnome, this malware inside of its main functions is taking desktop screenshots, stealing files, capture audio recordings from the user's microphone, as well as download and run more malicious second-stage modules.

The name is due to the operating mode of the virus that it masquerades as a legitimate extension of the Gnome environment to infect the target.

According to a new report that Intezer Labs shared the EvilGnome sample it discovered on VirusTotal also contains unfinished keylogger functionality, indicating that its developer uploaded it online by mistake.

Infection process

Initially, EvilGnome delivers a self-extracting script that generates a compressed tar archive self-extracting from a directory.

There are 4 different files that are identified with the file,

  • gnome-shell-ext - the executable spy agent
  • gnome-shell-ext.sh - checks if gnome-shell-ext is already running and if not, runs it
  • rtp.dat - configuration file for gnome-shell-ext
  • setup.sh - the setup script that runs by itself after unpacking

When analyzing the spy agent, the researchers discovered that the system had never seen the code and that it was built in C ++.

Researchers discovered they believe that the culprits behind EvilGnome are Gamaredon Group as the malware used a hosting provider using Gamaredon Group for a year and found a C2 server IP address that resolves 2 domains, gamework and workan.

Intezer researchers they delve into the spy agent and find five new modules called «Shooters» They can perform different activities with the respective commands.

  • ShooterSound- Capture audio from user microphone and upload to C2
  • ShooterImage: capture screenshots and upload to C2
  • ShooterFile: scans the file system for newly created files and uploads them to C2
  • ShooterPing: receives new commands from C2
  • ShooterKey: not implemented and unused, most likely an unfinished keylogging module

“The researchers believe this is a premature trial version. We anticipate that new versions will be discovered and reviewed in the future. "

All modules that are in operation encrypt the output data. Furthermore, they decrypt the server commands using an RC5 key »sdg62_AS.sa $ die3«. Each one is executed with its own thread. Access to shared resources is protected through mutual exclusions. The entire program so far was built in C ++.

For now, the only protection method is to manually check the "gnome-shell-ext" executable in the "~ / .cache / gnome-software / gnome-shell-extensions" directory.

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

2 comments, leave yours

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Bill said

    Are you sure one reason for fewer viruses on GNU / Linux is its market share? Having most of the web and mail servers? NO, the reason is that the main programs used are free (you can take the code, compile it and distribute the executables) and free, coupled with the fact that they are two clicks away from their search and installation with the package managers, making it strange that someone find, download and install programs from weird sites or have to search for programs to activate them. That is why there are no viruses, the virus would have to go in a program within the distributions, and when installing everyone from the same place, if one discovers it automatically, everyone knows it and the source of the problem is eliminated.

  2.   Bill said

    The quota thing is a lie that Microsoft uses so that people think that changing to GNU / Linux would not solve their virus problems because there would be the same, but it is not true, GNU / Linux is much less attachable than Windows for many reasons : You cannot run a program just by downloading it from the internet, you can't run email attachments, you can't auto-run programs on USB sticks just by inserting them, etc.