New EvilGnome malware allows hackers to spy on Linux systems

Cybersecurity researchers have discovered a new malware targeting Linux systems, which spies on users, Called EvilGnome, the threat disguises as a Gnome extension and was found to include unfinished keylogging capabilities, as well as comments, symbol names and compilation metadata that isn’t normally found in production versions.

EvilGnome is capable of taking screenshots, stealing files, capturing audio recordings from the user’s microphone, and downloading and executing further modules.

Techniques and modules employed by EvilGnome are reminiscent of Gamaredon Group’s Windows tools, including the use of SFX, persistence with task scheduler and the deployment of information stealers.

The new Linux implant is delivered in the form of a self-extracting archive shell script created with makeself, a small shell script that makes files look as shell scripts, many with a .run suffix. The operators did not remove metadata, which revealed that the sample was created on July 4.

The setup script attempts to install the malware to ~/.cache/gnome-software/gnome-shell-extensions/, so as to masquerade as a Gnome shell extension. For persistence, is registered to run every minute in crontab.

The script is then executed to launch the main agent executable, gnome-shell-ext. The spy agent was built in C++, using classes with an object oriented structure.

The spy agent contains five modules, to capture sound from the microphone, capture screenshots from the desktop, scan the system for new files, receive new commands from the command and control (C&C) server, and log keystrokes (the feature hasn’t been implemented yet).

Each of these modules is run in a separate thread, while access to shared resources is safeguarded through mutexes. Each module uses RC5 with the key “$die3” to encrypt or decrypt data to and from the C&C.

Based on the commands received from the server, the malware can download and execute files, set new filters for scanning, download and set new runtime configurations, exfiltrate stored output to the C&C, or stop the modules from running.

Researchers anticipate newer versions to be discovered and reviewed in the future, which could potentially shed more more light into the malware.