EvilGnome Linux Backdoor
EvilGnome is a backdoor targeting vulnerable Linux systems. Despite having similarities with malware employed by the Gamaredon Group
Gamaredon Group is an alleged Russian threat group. It has been active since at least 2013, and has targeted individuals likely involved with the Ukrainian government. Gamaredon Group infects victims using malicious attachments, delivered via spear phishing techniques.
EvilGnome appears to be distributed as a self-extracting archive script disguised as a GNOME Linux graphical shell extension. When downloaded, it decompresses and launches modules to maintain persistence and collect information.
Once installed, EvilGnome will connect to a command and control (C2) server over TCP port 3346 using Secure Shell and await further commands. By default, EvilGnome has five function modules:
- ShooterFile – reads and transfers newly created files
- ShooterImage – captures screenshots
- ShooterKey – unimplemented, but likely to be a key logging module
- ShooterPing – receives new commands from the C2 server
- ShooterSound – captures microphone audio
Detected as malicious
Indicators of Compromise
IP Addresses
- 185.158.115[.]154
- 185.158.115[.]44
- 195.62.52[.]101
URLs
- clsass.ddns[.]net
- gamework.ddns[.]net
- kotl[.]space
- rnbo-ua.ddns[.]net
- workan.ddns[.]net
Filenames
- gnome-shell-ext – the spy agent executable
- gnome-shell-ext.sh – checks if gnome-shell-ext is already running and if not, executes it
SHA246 File Hashes
- 7ffab36b2fa68d0708c82f01a70c8d10614ca742d838b69007f5104337a4b869
- 82b69954410c83315dfe769eed4b6cfc7d11f0f62e26ff546542e35dcd7106b7
- a21acbe7ee77c721f1adc76e7a7799c936e74348d32b4c38f3bf6357ed7e8032
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.