The name EvilGnome may conjure images of a malicious creature of folklore. Instead, this name actually refers to an emerging type of malware recently detected by malware researchers.
This article will detail the EvilGnome malware family. We’ll explore what EvilGnome is, how EvilGnome works, malware anatomy (including modules) and probable connections to an existing attack group, as well as how to detect EvilGnome.
This malware may come across as a rare malware type that many will never encounter. But for Linux users, EvilGnome is a threat that should be understood.
What is EvilGnome?
Discovered in July 2019 by security researchers at Intezer Labs, EvilGnome is a rare malware family afflicting Linux systems. Part of this rarity is predicated on the fact that there are so few Linux malware families in the wild of the world wide web. The other source of EvilGnome’s rarity comes from its rarely seen malware functionalities, which should get the heads of Linux users turning.
This novelty in the world of Linux threats is compounded by the fact that unlike most Linux malware families, EvilGnome does not focus on cryptocurrency mining or creating DDoS botnets. No, you are not in Kansas anymore.
EvilGnome presents itself to unwitting Linux users as a legitimate GNOME extension. Legitimate extensions help to extend Linux functionality, but instead of a healthy boost in system functionality, EvilGnome begins spying on users with an array of functionalities uncommon for most Linux malware types.
Interestingly, EvilGnome was discovered after its creator uploaded a test version to VirusTotal, which did not detect any malicious activity. While this may not strike many as a “newbie” mistake, the fact that an unfinished keylogger was included shows that the creator is either inexperienced or negligent. This keylogger function is currently disabled by default.
Believe it or not, the sloppiness does not end there. EvilGnome was delivered as a self-extracting form of archive shell script with the help of makeself SFX. The creators forgot to scrub vital metadata from the generated makeself SFX, including the sample creation date of July 4th, 2019.
How does EvilGnome work?
EvilGnome begins its malicious deeds when a user installs this Gnome shell extension and a persistence archiving shell script is added to the crontab. It is delivered as a self-extracting archive shell script created with a shell script that generates compressed tar archives which are self-extractable.
Once installed, this malware achieves persistence by running gnome-shell-ext.sh in crontab once a minute. The script then executes gnome-shell-ext.sh and launches the main executable.
EvilGnome exhibits a deep level of spying capabilities against targeted Linux users by leveraging the power of five malicious modules. Some of these spying capabilities include file stealing, desktop screenshots, audio capturing from the system’s microphone, and both downloading and executing other malware onto a targeted Linux system.
The anatomy of EvilGnome
EvilGnome comprises a C2 server (with an IP address of 126.96.36.199) and five malicious modules that actually perform the spying on targeted Linux users, plus a spy agent. These modules are:
- ShooterSound or ShooterAudio: This module captures audio on the targeted Linux system’s microphone and can upload to C2. It used PulseAuido to capture audio from the microphone. By default, the maximum recording of audio is set to 80,000 bits, which is fairly small and can be enlarged by C2
- ShooterImage: This module captures desktop screenshots and can upload them to C2. It can open a connection to XOrg Display Server (Gnome desktop backend) and can take desktop screenshots with the cairo open-source library
- ShooterFile: This module scans the targeted Linux system for new files and can upload them to C2. It uses a filter list to scan the targeted system’s filesystem, which can ignore specific files and folders altogether
- ShooterKey: This module is currently disabled by its authors and has yet to be used.
- ShooterPing: This module communicated with C2 from which it receives its malicious commands. C2 commands include downloading and executing a new file, setting filters for file scanning, downloading and setting new runtime configurations, exfiltrating output to C2, and stopping shooter modules
These separate modules are run in separate threads with mutex-guarded access to shared resources, including configuration. Output from modules is encrypted before being sent to C2 and information can also be decrypted by them.
Who is responsible for EvilGnome?
While not admitted to by the Gamaredon Group, the researchers that discovered this malware have found connections between the two.
First, EvilGnome’s C2 currently uses an IP address that was used by Gamaredon earlier this year. Second, techniques used by EvilGnome are reminiscent of the Windows tools used by this attack group. Last, there are some notable infrastructure similarities between EvilGnome and past Gamaredon attack campaigns, such as the fact that it serves SSH over port 3436 and the fact that EvilGnome uses a hosting provider that is known to be used by the group.
Linux system users should look in the “~/.cache/gnome-software/gnome-shell-extensions” directory for the “gnome-shell-ext” executable. Since antivirus products are currently unable to detect EvilGnome, Linux admins may want to consider blocking EvilGnome’s C2 IP address as well.
EvilGnome is an emerging Linux malware threat that was first spotted in July of 2019. Taking a page from the book of Windows malware, EvilGnome is capable of stealing a wide variety of user information and uploading it to C2, downloading and executing other malware and more.
New versions of this malware are expected to be on the horizon shortly. Hopefully, solid antivirus products will catch up by then.
- EvilGnome: Rare Malware Spying on Linux Desktop Users, Intezer
- EvilGnome: A New Backdoor Implant Spies on Linux Desktop Users, The Hacker News
- New Linux Malware Called EvilGnome Discovered, Linux Journal
- EvilGnome: New Linux Malware Targeting Desktop Users, SOC Prime