Linux

The developers of Free Download Manager (FDM) have published a script to check if a Linux device was infected through a recently reported supply chain attack.

Free Download Manager is a popular cross-platform download manager that offers torrenting, proxying, and online video downloads through a user-friendly interface.

Last week, Kaspersky revealed that the project's website was compromised at some point in 2020, redirecting a portion of Linux users who attempted to download the software to a malicious site.

This site dropped a trojanized FDM installer for Linux that installed a Bash information stealer and a backdoor that established a reverse shell from the attacker's server.

Even though many users reported peculiar behavior after installing the malicious installer, the infection remained undetected for three years until Kaspersky's report was published.

Free Download Manager's response

With the matter gaining attention, FDM investigated and discovered that Kaspersky's and other's reports about the compromise of their site had been ignored due to an error in their contact system.

"It appears that a specific web page on our site was compromised by a Ukrainian hacker group, exploiting it to distribute malicious software," explained the security announcement on FDM's site.

"Only a small subset of users, specifically those who attempted to download FDM for Linux between 2020 and 2022, were potentially exposed."

"Intriguingly, this vulnerability was unknowingly resolved during a routine site update in 2022."

The developers say that the site was breached through website vulnerability, allowing the attackers to introduce a malicious code that changed the download page for a small percentage of visitors.

Today, FDM released a script that will scan Linux computers to check if they were infected with the info-stealer malware from this campaign.

The script is available from here, and running it is a two-step process from a terminal:

chmod +x linux_malware_check.sh
./linux_malware_check.sh

Users should note that the scanner script will only identify if the malware is installed by looking for the presence of some files on the system, but it does not remove them.

Hence, if the scanner finds anything, users must manually remove the malware or use additional security tools to locate and uproot the malware files. 

FDM's recommended action is to reinstall the system.

Related Articles:

Hackers poison source code from largest Discord bot platform

CoralRaider attacks use CDN cache to push info-stealer malware

Russian Sandworm hackers targeted 20 critical orgs in Ukraine

Fake cheat lures gamers into spreading infostealer malware

Malicious Visual Studio projects on GitHub push Keyzetsu malware