Free Download Manager backdoored to serve Linux malware for +3 years

Kaspersky researchers found a Free Download Manager site compromised to serve Linux malware by redirecting downloads to a rogue Debian package at deb.fdmpkg.org. The package installs a backdoor via a persistent cron job, drops ELF files, and carries a Bash-based information stealer that exfiltrates data to a C2 server. #FreeDownloadManager #deb.fdmpkg.org #Kaspersky #crond #dietlibc #BashStealer #C2

Keypoints

The Free Download Manager site was compromised to redirect users to a malicious subdomain deb.fdmpkg.org hosting infected Debian packages.
The infected package’s postinst script drops ELF files to /var/tmp and creates a cron job in /etc/cron.d/collect to launch /var/tmp/crond every 10 minutes.
The crond backdoor uses the dietlibc library to access the Linux API and runs a reverse shell.
A Bash-based information stealer collects data such as system information, browsing history, saved passwords, crypto wallets, and cloud credentials (AWS, Google Cloud, OCI, Azure).
After data collection, the stealer downloads an uploader binary to /var/tmp/atd and uses it to upload results to the attackers’ infrastructure.
The campaign persisted from January 2020 to at least 2022, with some users receiving the rogue package and public tutorials showing how to install the software.
Victims were worldwide, including Brazil, China, Saudi Arabia and Russia; the supply chain redirect occurred via the legitimate site and ended in 2022, highlighting persistence and detection challenges on Linux.

MITRE Techniques

[T1195] Supply Chain Compromise – The legitimate site redirected users to the malicious domain deb.fdmpkg.org that served the compromised Debian packages. The sentence: “Starting in January 2020, the legitimate site of the domain was spotted redirecting some users who attempted to download it to the malicioud domain deb.fdmpkg.org that served the compromised Debian packages.”
[T1053.003] Cron – The malware establishes persistence by creating a cron task (stored in the file /etc/cron.d/collect) that launches the /var/tmp/crond file every 10 minutes. The sentence: “establishes persistence by creating a cron task (stored in the file /etc/cron.d/collect) that launches the /var/tmp/crond file every 10 minutes.”
[T1059.004] Unix Shell – The crond backdoor creates a reverse shell. The sentence: “The crond backdoor creates a reverse shell.”
[T1105] Ingress Tool Transfer – The stealer downloads an uploader binary from the C2 server. The sentence: “the stealer downloads an uploader binary from the C2 server, saving it to /var/tmp/atd.”
[T1005] Data from Local System – The information stealer can collect data such as system information, browsing history, saved passwords, cryptocurrency wallet files, and cloud service credentials. The sentence: “The information stealer can collect multiple data such, including system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure).”
[T1041] Exfiltration Over C2 Channel – The stealer uses an uploader to upload results to the attackers’ infrastructure. The sentence: “It then uses this binary to upload stealer execution results to the attackers’ infrastructure.”

Indicators of Compromise

[Domain] – deb.fdmpkg.org (malicious subdomain hosting infected Debian packages), freedownloadmanager.org (legitimate site involved in redirect), files2.freedownloadmanager.org (hosting the legitimate domain). – context: redirect infrastructure and related domains
[File path] – /var/tmp/crond, /var/tmp/bs, /var/tmp/atd, /etc/cron.d/collect – context: dropped executables and persistence mechanisms
[URL] – https://deb.fdmpkg.org/freedownloadmanager.deb – context: infected Debian package URL
[Script/Installer] – postinst script within the infected package – context: malicious installation script executed on install