“EvilGnome” Backdoor Implant Spies On Linux Desktop Users (Jul 17, 2019)
A new Linux malware dubbed “EvilGnome” was discovered in July 2019 masquerading as a Gnome shell extension and designed to spy on unsuspecting Linux desktop users. Researchers at Intezer Labs found that EvilGnome functionalities include desktop screenshots, file stealing, and allowing the ability to capture audio recording from the user’s microphone. The backdoor also has the ability to download and execute further modules. EvilGnome appears to be connected with the Russian threat group known as Gamaredon Group, an Advanced Persistent Threat (APT) group known to have been active since at least 2013. At the time of this writing, The backdoor implant is not detected by any of the anti-malware engines on VirusTotal.
Recommendation: Since security and antivirus products are currently failing to detect the EvilGnome malware, researchers recommend concerned Linux administrators to block the Command and Control IP addresses listed in the IOC section of Intezer's blog post. Researchers also suggest to search for the "gnome-shell-ext" executable in the "~/.cache/gnome-software/gnome-shell-extensions" directory to identify if your machine has been infected.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.