EvilGnome
EvilGnome is a backdoor Trojan that provides a remote attacker with substantial control capabilities over your PC, including means of installing other threats or collecting information. Unlike most backdoor Trojans, this program is specific to Linux systems. Linux users should update their anti-malware solutions for the best chances of deleting EvilGnome on sight and consider implementing additional safeguards, such as custom IP blacklists.
A Small but Growing Linux Threat
A threat actor interested in exploiting Linux systems on a nearly-unprecedented scale is preparing a backdoor Trojan that's custom for that operating system. EvilGnome differs from the usual, DDoS botnet-oriented or cryptocurrency-mining Trojans that occasionally appear on Linux, due to having a much more robust set of features. The author may be planning on renting out EvilGnome's capabilities to other criminals or using its substantial information-collecting functions for themselves.
Early samples of EvilGnome are available to malware experts and other industry researchers, thanks to what could be an accidental upload by the threat actor. These incomplete builds have the skeleton of a non-working keylogging module, but, otherwise, are intact and functional. Other modular features in EvilGnome which work as intended include:
- A C&C module controls the persistence of secondary modules, can download and open files, modify modular configurations and accept other commands.
- A screenshot module uses the Cairo library for taking screenshots.
- A microphone module uses the PulseAudio utility for recording microphone input.
- A file-scanning module searches the system for newly-made files and uploads them, as per the settings in the C&C one.
EvilGnome uses RC5 encryption as part of its stealth features and, at this early stage, is successful at avoiding detection from many brands of security software.
Exploring the Russian Connection
If EvilGnome were a Windows Trojan, little about its payload would be exciting or fresh to the anti-malware industry's researchers. However, its deployment of such invasive and data-exfiltration-themed attacks inside of Linux is noteworthy and a particularly rare occurrence. Further investigation into EvilGnome's internals causes malware researchers to note a probable connection between EvilGnome and a preexisting threat actor: the Gamaredon Group.
The Gamaredon Group is a Russia-based organization that most readers will know from their attacks against Ukrainian military networks. They are familiar with the development and deployment of backdoor Trojans with espionage purposes, such as the previous Pteranodon, and EvilGnome makes a possible pivot towards neglected OSes, on their part. Similarities between EvilGnome and past campaigns from these criminals include a shared hosting provider, domain suffix, IP address, and general techniques like the Trojan's means of system persistence.
Linux users can protect themselves by blacklisting the publicized IP addresses for EvilGnome, which may block its contact with its C&C. Otherwise, having anti-malware products available for deleting EvilGnome, and practicing safe online behavior are the best defenses.
As a gnome with one, crippled limb, EvilGnome is far more threatening than one might assume for an 'incomplete' Trojan. A Trojan in development is still a Trojan, and capable of ferrying information to unpleasant places.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.