A new Linux malware masquerading as a Gnome shell extension and designed to spy on unsuspecting Linux desktop users was discovered by Intezer Labs' researchers in early July.

The backdoor implant dubbed EvilGnome is currently not detected by any of the anti-malware engines on VirusTotal [1, 2, 3] and comes with several capabilities very rarely seen in Linux malware strains.

"EvilGnome’s functionalities include desktop screenshots, file stealing, allowing capturing audio recording from the user’s microphone and the ability to download and execute further modules," Intezer researchers found.

"The implant contains an unfinished keylogger functionality, comments, symbol names and compilation metadata which typically do not appear in production versions."

Infection via self-extractable archives

EvilGnome is delivered with the help of self-extractable archive created using the makeself shell script, with all the metadata generated when creating the malicious payload archive bundled within its headers, possibly by mistake.

The infection is automated with the help of an autorun argument left in the headers of the self-executable payload which instructs it to launch a setup.sh that will add the malware's spy agent to the ~/.cache/gnome-software/gnome-shell-extensions/ folder, attempting to sneak onto the victim's system camouflaged as a Gnome shell extension.

Self-extractable payload metadata

EvilGnome will also add a gnome-shell-ext.sh shell script to the compromised Linux machine's crontab, a script designed to check every minute if the spyware agent is still running.

The gnome-shell-ext.sh is executed during the final stage of the infection process, leading to the gnome-shell-ext spyware agent also being launched.

EvilGnome's configuration is stored within the rtp.dat file also bundled within the self-extractable payload archive and it allows the backdoor to get its command and control (C2) server's IP address.

Multiple backdoor modules with spyware features

The malware comes with five modules, each of them designed to run in a separate thread, and "access to shared resources (such as the configuration) is safeguarded by mutexes."

Intezer Labs found the following modules while analyzing the EvilGnome backdoor implant:

• ShooterAudio – captures audio from the user’s microphone and uploads to C2

• ShooterImage – captures screenshots and uploads to C2

• ShooterFile – scans the file system for newly created files and uploads them to C2

• ShooterPing – receives new commands from C2, exfiltrates data, can download and execute new payloads

• ShooterKey – unimplemented and unused, most likely an unfinished keylogging module

All the traffic sent to and from the malware's C2 servers is encrypted and decrypted by EvilGnome with the RC5 symmetric block cipher using the same key with the help of a variant of the RC5Simple open-source library.

In the event of failure to communicate with their C2 servers, the malware samples analyzed by Intezer researchers stored all their output and the stolen data within the ~/.cache/gnome-software/gnome-shell-extensions/tmp/ folder on the infected Linux boxes.

EvilGnome modules

Connections with the Russian Gamaredon Group

EvilGnome also seems to be connected with the Russian threat group known as Gamaredon Group, an advanced persistent threat (APT) group known to have been active since at least 2013 as per Palo Alto Networks' Unit 42 threat researchers.

While in the beginning Gamaredon Group mostly relied on off-the-shelf tools, it has slowly moved into developing custom malware implants after increasing their technical expertise.

The EvilGnome malware developers and the Gamaredon Group are connected by the use of the same hosting provider as Intezer researchers found, as well as by EvilGnome's use of C2 servers connected to domains associated to the Russian threat group.

The two also use the 3436 port for connecting to their C2 servers via SSH, with "two additional servers with domain names similar to the naming pattern of Gamaredon domains (the use of the .space TTLD and ddns)" found by the researchers under EvilGnome’s C2 host provider.

SSH ports open on EvilGnome C2 and Gamaredon servers

Last but not least, while Gamaredon Group is not known to have developed or used any Linux malware implants, the modules and techniques used by the EvilGnome Linux backdoor such as "the use of SFX, persistence with task scheduler and the deployment of information stealing tools" match the ones used by the Russian hacking group.

Intezer's research team provides a list of indicators of compromise (IOCs) at the end of their EvilGnome analysis, including malware sample hashes and IP addresses/domains the Linux backdoor implant shares with other tools developed by the Gamaredon Group.