Over the last few years, Linux machines have become a more and more prominent target for all sorts of threat actors. According to our telemetry, 260,000 unique Linux samples appeared in the first half of 2023. As we will demonstrate in this article, campaigns targeting Linux can operate for years without being noticed by the cybersecurity community.
We discovered one such long-lasting attack when we decided to investigate a set of suspicious domains, among them:
2c9bf1811ff428ef9ec999cc7544b43950947b0f.u.fdmpkg[.]org
c6d76b1748b67fbc21ab493281dd1c7a558e3047.u.fdmpkg[.]org
0727bedf5c1f85f58337798a63812aa986448473.u.fdmpkg[.]org
c3a05f0dac05669765800471abc1fdaba15e3360.u.fdmpkg[.]org
To a security researcher’s eye, these domains look alarming, as they can be a sight of malware using domain-generation algorithms for C2 communications. We thus decided to take a close look at the fdmpkg[.]org domain.
A malicious Debian repository
We identified that the domain in question has a deb.fdmpkg[.]org subdomain. Going there in the browser shows the following web page:
As suggested by the page, this subdomain claims to host a Debian repository of a piece of software called ‘Free Download Manager’. We further discovered a Debian package of this software available for download from the https://deb.fdmpkg[.]org/freedownloadmanager.deb URL. This package turned out to contain an infected postinst script that is executed upon installation. This script drops two ELF files to the paths /var/tmp/crond and /var/tmp/bs. It then establishes persistence by creating a cron task (stored in the file /etc/cron.d/coll ..
Support the originator by clicking the read the rest link below.
