Malware spotlight: EvilGnome
Introduction
The name EvilGnome may conjure images of a malicious creature of folklore. Instead, this name actually refers to an emerging type of malware recently detected by malware researchers.
This article will detail the EvilGnome malware family. We’ll explore what EvilGnome is, how EvilGnome works, malware anatomy (including modules) and probable connections to an existing attack group, as well as how to detect EvilGnome.
This malware may come across as a rare malware type that many will never encounter. But for Linux users, EvilGnome is a threat that should be understood.
What is EvilGnome?
Discovered in July 2019 by security researchers at Intezer Labs, EvilGnome is a rare malware family afflicting Linux systems. Part of this rarity is predicated on the fact that there are so few Linux malware families in the wild of the world wide web. The other source of EvilGnome’s rarity comes from its rarely seen malware functionalities, which should get the heads of Linux users turning.
This novelty in the world of Linux threats is compounded by the fact that unlike most Linux malware families, EvilGnome does not focus on cryptocurrency mining or creating DDoS botnets. No, you are not in Kansas anymore.
EvilGnome presents itself to unwitting Linux users as a legitimate GNOME extension. Legitimate extensions help to extend Linux functionality, but instead of a healthy boost in system functionality, EvilGnome begins spying on users with an array of functionalities uncommon for most Linux malware types.
Interestingly, EvilGnome was discovered after its creator uploaded a test version to VirusTotal, which did not detect any malicious activity. While this may not strike many as a “newbie” mistake, the fact that an unfinished keylogger was included shows that the creator is either inexperienced or negligent. This keylogger function is currently disabled by default.
Believe it or not, the sloppiness does not end there. EvilGnome was delivered as a self-extracting form of archive shell script with the help of makeself SFX. The creators forgot to scrub vital metadata from the generated makeself SFX, including the sample creation date of July 4th, 2019.
How does EvilGnome work?
EvilGnome begins its malicious deeds when a user installs this Gnome shell extension and a persistence archiving shell script is added to the crontab. It is delivered as a self-extracting archive shell script created with a shell script that generates compressed tar archives which are self-extractable.
Once installed, this malware achieves persistence by running gnome-shell-ext.sh in crontab once a minute. The script then executes gnome-shell-ext.sh and launches the main executable.
EvilGnome exhibits a deep level of spying capabilities against targeted Linux users by leveraging the power of five malicious modules. Some of these spying capabilities include file stealing, desktop screenshots, audio capturing from the system’s microphone, and both downloading and executing other malware onto a targeted Linux system.
The anatomy of EvilGnome
EvilGnome comprises a C2 server (with an IP address of 195.62.52.101) and five malicious modules that actually perform the spying on targeted Linux users, plus a spy agent. These modules are:
- ShooterSound or ShooterAudio: This module captures audio on the targeted Linux system’s microphone and can upload to C2. It used PulseAuido to capture audio from the microphone. By default, the maximum recording of audio is set to 80,000 bits, which is fairly small and can be enlarged by C2
- ShooterImage: This module captures desktop screenshots and can upload them to C2. It can open a connection to XOrg Display Server (Gnome desktop backend) and can take desktop screenshots with the cairo open-source library
- ShooterFile: This module scans the targeted Linux system for new files and can upload them to C2. It uses a filter list to scan the targeted system’s filesystem, which can ignore specific files and folders altogether
- ShooterKey: This module is currently disabled by its authors and has yet to be used.
- ShooterPing: This module communicated with C2 from which it receives its malicious commands. C2 commands include downloading and executing a new file, setting filters for file scanning, downloading and setting new runtime configurations, exfiltrating output to C2, and stopping shooter modules
These separate modules are run in separate threads with mutex-guarded access to shared resources, including configuration. Output from modules is encrypted before being sent to C2 and information can also be decrypted by them.
Who is responsible for EvilGnome?
While not admitted to by the Gamaredon Group, the researchers that discovered this malware have found connections between the two.
First, EvilGnome’s C2 currently uses an IP address that was used by Gamaredon earlier this year. Second, techniques used by EvilGnome are reminiscent of the Windows tools used by this attack group. Last, there are some notable infrastructure similarities between EvilGnome and past Gamaredon attack campaigns, such as the fact that it serves SSH over port 3436 and the fact that EvilGnome uses a hosting provider that is known to be used by the group.
Detection
Linux system users should look in the “~/.cache/gnome-software/gnome-shell-extensions” directory for the “gnome-shell-ext” executable. Since antivirus products are currently unable to detect EvilGnome, Linux admins may want to consider blocking EvilGnome’s C2 IP address as well.
Conclusion
EvilGnome is an emerging Linux malware threat that was first spotted in July of 2019. Taking a page from the book of Windows malware, EvilGnome is capable of stealing a wide variety of user information and uploading it to C2, downloading and executing other malware and more.
New versions of this malware are expected to be on the horizon shortly. Hopefully, solid antivirus products will catch up by then.
Sources
- EvilGnome: Rare Malware Spying on Linux Desktop Users, Intezer
- EvilGnome: A New Backdoor Implant Spies on Linux Desktop Users, The Hacker News
- New Linux Malware Called EvilGnome Discovered, Linux Journal
- EvilGnome: New Linux Malware Targeting Desktop Users, SOC Prime
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Malware spotlight: EvilGnome
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis