Ukrainian Hacker Suspected to be Behind "Free Download Manager" Malware Attack
21.9.23 Virus The Hacker News
The maintainers of Free Download Manager (FDM) have acknowledged a security incident dating back to 2020 that led to its website being used to distribute malicious Linux software.
"It appears that a specific web page on our site was compromised by a Ukrainian hacker group, exploiting it to distribute malicious software," it said in an alert last week. "Only a small subset of users, specifically those who attempted to download FDM for Linux between 2020 and 2022, were potentially exposed."
Less than 0.1% of its visitors are estimated to have encountered the issue, adding it may have been why the problem went undetected until now.
The disclosure comes as Kaspersky revealed that the project's website was infiltrated at some point in 2020 to redirect select Linux users who attempted to download the software to a malicious site hosting a Debian package.
The package was further configured to deploy a DNS-based backdoor and ultimately serve a Bash stealer malware capable of harvesting sensitive data from compromised systems.
FDM said its investigation uncovered a vulnerability in a script on its site that the hackers exploited to tamper with the download page and lead the site visitors to the fake domain deb.fdmpkg[.]org hosting the malicious .deb file.
"It had an «exception list» of IP addresses from various subnets, including those associated with Bing and Google," FDM said. "Visitors from these IP addresses were always given the correct download link."
"Intriguingly, this vulnerability was unknowingly resolved during a routine site update in 2022," it further noted.
FDM has also released a shell script for users to check for the presence of malware in their systems. It can be downloaded from here.
But it's worth pointing out that the scanner script does not remove the malware. Users who find the backdoor and the information stealer in their machines are required to reinstall the system.