A malware attack which has been discovered in a Free Download Manager, is suspected to be from threat actors based in Ukraine.
As the saying goes, ‘There’s no such thing as a free lunch,’ and the age-old wisdom of ‘Beware of Greeks bearing gifts’ has been reaffirmed yet again with the discovery of suspicious activity discovered in a Free Download Manager (FDM) software.
The Free Download Manager (FDM) maintainers have confirmed a security incident dating back to 2020. This incident involved their website being exploited in a malicious campaign that distributed Linux-based malware.
In a published article last week (13th September, 2023), the company affirmed that:
“Today, informed by the findings from Kaspersky Lab, we became aware of a past security incident from 2020. It appears that a specific web page on our website was compromised by a Ukrainian hacker group, exploiting it to distribute a malicious software.”
The company claimed that only a subset of users who downloaded the FDM for Linux between the year 2020, and 2022, were impacted.
The company further emphasized that:
“It’s estimated that much less than 0.1% of our visitors might have encountered this issue. This limited scope is probably why the issue remained undetected until now. Intriguingly, this vulnerability was unknowingly resolved during a routine site update in 2022.”
The detection surfaced when Kaspersky exposed that the website had fallen victim to malicious code infiltration in 2020. Subsequently, each time a Linux user endeavoured to download the software from the official website, they found themselves (unknowingly) redirected to a malevolent server that hosted the Debian package containing the malware.
What Happens Next?
Upon successfully downloading and installing the counterfeit FDM, what happens next, is that the malware then initiates a DNS-based backdoor and subsequently deploys a Bash stealer malware. The malicious software then proceeds to extract sensitive data and information from the victim’s computer.
Action Taken by FDM:
The discovery led FDM developers, to take a swift action, in fixing the issues before more of their customers becomes victims. In the article they published the company described that:
“Upon the discovery, we initiated a thorough investigation. We’re reinforcing our defences and implementing additional measures to prevent such vulnerabilities in the future.”
The company described that they accessed their data from backups dated as far back as 2020, and discovered the modified page, that contains a code; suggesting to users the option to download to either choose between downloading from the legitimate link or a mirror link which redirects to the attacker server def[.]fdmpkg[.]org that hosts the malicious *.deb file.
The company also said that they have an “Exception list” comprising of IP addresses from various subnets, including that associated with Bing, and Google. This list allows visitors from the IP addresses in the exception list, to always have the legitimated download link for the FDM package.
Remediation by FDM:
The open-source software (FDM) developers, has giving a few remediation which includes:
- That users who downloaded the software (for Linux), within the time frame stated in this article earlier, should conduct a malware scan, and as well update their passwords as a safe measure.
- To conduct the malware scan for the malicious FDM package for Linux users, the company developed a linux_malware_check.sh script, for users to download.
- After download the scripts, users are to grant permissions to the script, using the command:
Chmod +x linux_malware_check.sh
- Users are then required to Run the script using the command: ./linux_malware_check.sh
The software developers have apologized to their end users saying:
“We’re truly sorry about what happened, and we again ask our users who downloaded FDM for Linux within 2020-2022 to check their computers for malware. Also, we want to reassure all our Windows and Mac users that for them our website has been safe.”
The company emphasized that the script function is only to identify if the potential threat mentioned earlier on, is present on the user’s machine or not, and it has no capabilities of uninstalling or removing the malware. However, they suggested that if the malware was detected on the user’s device, a fresh reinstallation of the system is highly recommended.
Please do let us know in the comment section what are your thoughts about this.