Threat Research

Trojanized Free Download Manager found to contain a Linux backdoor

SecureList

Researchers found a trojanized Debian package for Free Download Manager hosted on deb.fdmpkg[.]org that installs a DNS-based backdoor (crond), a secondary binary (bs), and a cron job to maintain persistence. The backdoor resolves a hex-coded domain to DNS A records that encode a secondary C2 IP/port, spawns a reverse shell (SSL or TCP), and is used to deploy a Bash stealer and uploader to exfiltrate credentials and wallet files. #FreeDownloadManager #Bew

Keypoints

  • Malicious Debian package hosted at deb.fdmpkg[.]org contained an infected postinst script that installs malware during package installation.
  • postinst drops two ELF files: /var/tmp/crond (backdoor) and /var/tmp/bs (secondary binary), and creates /etc/cron.d/collect to run /var/tmp/crond every 10 minutes for persistence.
  • The crond backdoor is statically linked (dietlibc) and uses a DNS-based mechanism: it issues an A-record query to .u.fdmpkg[.]org and decodes two returned IPs to obtain the secondary C2 address, port, and connection type.
  • Depending on the encoded connection type, the backdoor either creates a reverse shell itself (TCP) or launches /var/tmp/bs to handle SSL communications and delegate further traffic.
  • A Bash stealer was deployed via the reverse shell to collect system info, browsing history, saved passwords, crypto wallet files, and cloud credentials, then downloaded an uploader to /var/tmp/atd to exfiltrate results.
  • Code analysis shows the crond implant is a modified variant of the Bew backdoor; the stealer also matches earlier known samples.
  • Distribution included redirection from the official Free Download Manager site to the malicious deb.fdmpkg[.]org URL in some cases, suggesting conditional/probabilistic delivery.

MITRE Techniques

  • [T1053.005] Scheduled Task/Job: Cron – The malware creates a cron task to run the backdoor every 10 minutes (“…creating a cron task (stored in the file /etc/cron.d/collect) that launches the /var/tmp/crond file every 10 minutes.”).
  • [T1071.004] Application Layer Protocol: DNS – The backdoor uses DNS A requests to receive encoded C2 address and port (“…makes a type A DNS request for the .u.fdmpkg[.]org domain. In response… receives two IP addresses that encode the address and port of a secondary C2 server.”).
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – The implant launches a reverse shell and can delegate communications to another binary (“…launches a reverse shell… In the case of SSL, the crond backdoor launches the /var/tmp/bs executable and delegates all further communications to it.”).
  • [T1105] Ingress Tool Transfer – The stealer downloads an uploader binary from the C2 and saves it locally for further use (“…the stealer downloads an uploader binary from the C2 server, saving it to /var/tmp/atd.”).
  • [T1041] Exfiltration Over C2 Channel – The uploader binary is used to send collected stealer results to attacker infrastructure (“…uses this binary to upload stealer execution results to the attackers’ infrastructure.”).
  • [T1081] Credentials in Files – The Bash stealer harvests stored credentials and wallet files from the infected host (“…collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure).”).

Indicators of Compromise

  • [File hashes] Malicious artifacts – b77f63f14d0b2bde3f4f62f4323aad87194da11d71c117a487e18ff3f2cd468d (Malicious Debian Package), 2214c7a0256f07ce7b7aab8f61ef9cbaff10a456c8b9f2a97d8f713abd660349 (crond backdoor), and 2 more hashes.
  • [File paths] Installed payload and persistence – /etc/cron.d/collect, /var/tmp/crond, /var/tmp/bs, /var/tmp/atd.
  • [Domains] Malicious distribution and C2 resolution – fdmpkg[.]org, deb.fdmpkg[.]org (hosted freedownloadmanager.deb redirect source).
  • [IP addresses] Secondary C2 encoding examples – 172.111.48[.]101, 127.1.0[.]80 (used to encode C2 address/port/type).
  • [Filenames] Delivered package and uploader – freedownloadmanager.deb, /var/tmp/atd (uploader binary).

Attack flow and technical procedure: the trojanized freedownloadmanager.deb contains a malicious postinst script that drops two ELF binaries to /var/tmp (crond and bs) and creates a cron entry at /etc/cron.d/collect to execute /var/tmp/crond every 10 minutes. The crond binary is statically linked (dietlibc), invokes syscalls directly, and on startup issues a DNS A query to a hex-encoded subdomain of u.fdmpkg[.]org; the two returned A records are parsed so the first provides a secondary C2 IP and the second encodes the connection port and type.

After decoding the DNS response, crond establishes a reverse shell to the secondary C2: for TCP it implements the shell itself, while for SSL it launches /var/tmp/bs and hands off encrypted communications. Through the reverse shell operators deploy a Bash stealer that enumerates system information, browsing history, saved passwords, cryptocurrency wallet files, and cloud service credentials (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure).

The stealer then downloads an uploader binary from the C2 to /var/tmp/atd (ingress tool transfer) and uses it to exfiltrate the collected data back to attacker infrastructure. Code overlap analysis shows the crond implant is a modified Bew backdoor variant, indicating reuse of long-lived Linux backdoor code in this campaign.

Read more: https://securelist.com/backdoored-free-download-manager-linux-malware/110465/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint