EvilGnome Linux Backdoor

EvilGnome is a backdoor targeting vulnerable Linux systems. Despite having similarities with malware employed by the Gamaredon Group, an advanced persistent threat operating in Eastern Europe, EvilGnome is targeting users globally.

Threat ID:: CC-3159
Category:: Backdoor
Threat Severity:: Low
Threat Vector:: Download
Published:: 18 July 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Linux

Linux - Most popular distributions

Threat details

At the time of publication, EvilGnome appears to be distributed as a self-extracting archive script disguised as a GNOME Linux graphical shell extension. When downloaded, it decompresses and launches modules to maintain persistence and collect information.

Once installed, EvilGnome will connect to a command and control (C2) server over TCP port 3346 using Secure Shell and await further commands. By default, EvilGnome has five function modules:

ShooterFile - reads and transfers newly created files
ShooterImage - captures screenshots
ShooterKey - unimplemented, but likely to be a key logging module
ShooterPing - receives new commands from the C2 server
ShooterSound - captures microphone audio

Remediation steps

Type	Step
	The following steps can be used to identify and remove EvilGnome's persistence mechanisms. Check for the presence of a process called gnome-shell-ext. If found, terminate it using the kill -9 command. If the process reappears, check the crontab for any entries in the below format and remove if found: 0-59 * * * * /.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh Check for the presence of the files mentioned in the Indicators of Compromise section above. Removing these will prevent EvilGnome from running even without removing crontab entries. Additionally, to prevent and detect an infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

The following steps can be used to identify and remove EvilGnome's persistence mechanisms.

Check for the presence of a process called gnome-shell-ext.
If found, terminate it using the kill -9 command.
If the process reappears, check the crontab for any entries in the below format and remove if found:
0-59 * * * * /.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
Check for the presence of the files mentioned in the Indicators of Compromise section above. Removing these will prevent EvilGnome from running even without removing crontab entries.

Additionally, to prevent and detect an infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 14 February 2020 2:49 pm