
Experts at Intezer discovered a new backdoor, dubbed EvilGnome, that is targeting Linux systems for cyber espionage purpose.
“Linux desktop remains an unpopular choice among mainstream desktop users, making up a little more than 2% of the desktop operating system market share.” reads the analysis published by Intezer. ” This explains our surprise when in the beginning of July, we discovered a new, fully undetected Linux backdoor implant, containing rarely seen functionalities with regards to Linux malware, targeting desktop users.”
The experts confirmed that the spy agent used by the threat actors was never seen before.

The Gamaredon APT was first spotted in 2013, last year researchers at LookingGlass have shared the details of a cyber espionage campaign, tracked as Operation Armageddon, targeting Ukrainian entities.
The Security Service of Ukraine (SBU) blamed
The sample analyzed by Intezer was uploaded to VirusTotal by mistake,
EvilGnome allows attackers to take screenshots, steal files, capture audio recordings from the microphone, and download and execute other payloads.
The attack starts with spear-phishing emails containing weaponized attachments, the malware is distributed via Russian hosting providers.
The hosting provider used by attackers behind
The Linux implant is delivered in the form of a self-extracting archive shell script created with
The setup script installs the malicious code to ~/.
In the last step of the installation process, the script executes
“The Spy Agent was built in C++, using classes with an object oriented structure. The binary was not stripped, which allowed us to read symbols and understand the developer’s intentions.” continues the analysis.
“At launch, the agent forks to run in a new process. The agent then reads the rtp.dat configuration file and loads it directly into memory”
The spy agent is composed of
ShooterSound – captures audio from the user’s microphone and uploads to C2;ShooterImage – capturesscreenshots and uploads to C2;ShooterFile – scans the file system for newly created files and uploads them to C2;ShooterPing – receives new commands from C2;-
ShooterKey – unimplemented and unused, most likely an unfinishedkeylogging module;
The modules access to shared resources that are safeguarded through
The malware supports several commands, it can download and execute files, set new filters for scanning, download and set new runtime configurations,
“
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – EvilGnome, Linux malware)
[adrotate banner=”5″]
[adrotate banner=”13″]



