The Free Download Manager website has been consistently redirecting Linux users to malware-infected destinations over an extended period! An incident report highlights an attack on the Free Download Manager supply chain, which led Linux users to a deceptive Debian package repository, ultimately installing information-stealing malware.
The malware used in this campaign creates a reverse shell on a C2 server and installs a Bash stealer that collects user data and account credentials.
Free Download Manager site
While conducting an inquiry into suspicious domains, Kaspersky identified a possible supply chain breach and determined that this campaign had been active for more than three years.
Despite notifying the software vendor about the issue, Kaspersky did not receive a response, leaving the precise methods of the breach shrouded in uncertainty.
According to Kaspersky’s findings, the official download page located at “freedownloadmanager[.]org” occasionally redirects users attempting to download the Linux version to a malicious domain at “deb.fdmpkg[.]org,” where a harmful Debian package is hosted.
As this redirection only occurs selectively and not with every download attempt from the official website, it is presumed that the malicious code targets users for risky downloads based on specific but undisclosed criteria.
Kaspersky noticed various posts on social media such as Reddit, StackOverflow, YouTube, and Unix Stack Exchange, where the malicious domain was promoted as a reliable source for obtaining the Free Download Manager tool.
Furthermore, a post on the official website of Free Download Manager in 2021 shows how an infected user points to the malicious domain “fdmpkg.org” and is told that it is not related to the official project.
For the past three years, users on these websites have been engaging in discussions about software issues, sharing their concerns about suspicious files and cron jobs generated by the software, all the while unaware that they were unwittingly infected with malware.
Despite Kaspersky’s assertion that the redirection ceased in 2022, it is worth noting that older YouTube videos [1, 2] still prominently feature download links to the official Free Download Manager, which in some instances direct users to a malicious URL, http://deb.fdmpkg[.]org, instead of the legitimate freedownloadmanager.org.
The malicious Debian package, employed for software installations on Debian-based Linux distributions such as Ubuntu and its derivatives, harbors a malevolent information-stealing script and a crond backdoor.
This backdoor establishes a reverse shell connection with a Command and Control (C2) server.
The crond component creates a new system cron job during startup, which executes a script designed to steal information.
Kaspersky’s investigation has revealed that the crond backdoor is a variant of the ‘Bew’ malware, a threat that has been in circulation since 2013. The Bash stealer, on the other hand, was first discovered and analyzed in 2019. However, it’s worth noting that this tool is not a prototype but a fully developed threat.
The gathered data is transmitted to the hacker’s server, where it may be exploited for subsequent attacks or traded to other malicious actors.
If you’ve installed the Linux edition of Free Download Manager from 2020 to 2022, it’s advisable to verify whether the compromised version has been installed on your system.
To do so, search for the following files linked to the malware and, if detected, remove them:
Kaspersky attributes this phenomenon to a combination of factors, including the infrequency of encountering malware on Linux and the constrained reach of the issue as it affects only a fraction of users who are redirected to the unofficial URL.