# EvilGnome: Rare Malware Spying on Linux Desktop Users

**[intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/](https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/)**

July 17, 2019

Written by Paul Litvak - 17 July 2019

## Get Free Account

Join Now

## Top Blogs

**[Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations](https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/)**

A recently developed malware framework called Elephant is being delivered in targeted
spear phishing campaigns... [Read more](https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/)

**[TeamTNT Cryptomining Explosion 🧨](https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/)**

This post was originally published as a white paper in September 2021. Get the full... Read
more

**[Beyond Files: Automate URL Analysis with Intezer Analyze](https://www.intezer.com/blog/product-updates/automatically-scan-urls-and-analyze-malware/)**


-----

As part of our ongoing effort to allow you to investigate any security incident, we... Read
more

**Introduction**

Linux desktop remains an unpopular choice among mainstream desktop users, making up a
little more than [2% of the desktop operating system market share. This is in contrast to the](https://netmarketshare.com/operating-system-market-share.aspx?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Trend%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22platform%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22platformsDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222018-07%22%2C%22dateEnd%22%3A%222019-06%22%2C%22segments%22%3A%22-1000%22%7D)
[web server market share, which consists of 70% of Linux-based operating systems.](https://w3techs.com/technologies/overview/operating_system/all)
Consequently, the Linux malware ecosystem is plagued by financial driven crypto-miners
and DDoS botnet tools which mostly target vulnerable servers.

This explains our surprise when in the beginning of July, we discovered a new, fully
undetected Linux backdoor implant, containing rarely seen functionalities with regards to
Linux malware, targeting desktop users.

Throughout our investigation, we have found evidence that shows operational
similarities between this implant and Gamaredon Group. We have investigated this
connection and in this blog we will present a technical analysis of the tool.

We have named the implant EvilGnome,for its disguise as a Gnome extension. The
malware is currently fully undetected across all major security solutions:

Figure 1: VirusTotal detections of an EvilGnome sample

We believe this is a test version that was uploaded to VirusTotal, perhaps by mistake. The
implant contains an unfinished keylogger functionality, comments, symbol names and
compilation metadata which typically do not appear in production versions. EvilGnome’s
functionalities include desktop screenshots, file stealing, allowing capturing audio recording
from the user’s microphone and the ability to download and execute further modules.

**Gamaredon Group Connection**

[Gamaredon Group is an alleged Russian threat group. It has been active since at least](https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/)
2013, and has targeted individuals likely involved with the Ukrainian government.
Gamaredon Group infects victims using malicious attachments, delivered via
spear phishing techniques. The group’s implants are characterized by the employment of
information stealing tools—among them being screenshot and document stealers delivered
via a SFX, and made to achieve persistence through a scheduled task. Gamaredon Group
primarily makes use of Russian hosting providers in order to distribute its malware.


-----

Our investigation into EvilGnome yielded several similarities between the threat actors
behind EvilGnome and Gamaredon Group:

**Hosting Similarities**

The operators of EvilGnome use a hosting provider that has been used by Gamaredon
Group for years, and continues to be used by the group.

More specifically, EvilGnome’s C2 IP address (195.62.52.101) was resolved two months
ago by the domains gamework.ddns.net and workan.ddns.net, [associated with the](https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=1417)
Gamaredon Group:

Figure 2: RiskIQ EvilGnome C2 IP query

[We used RiskIQ to map the history of the gamework.ddns.net domain:](https://community.riskiq.com/search/gamework.ddns.net)

Figure 3: gamework.ddns.net DNS timeline

The finding shows that EvilGnome operates on an IP address that was controlled by the
Gamaredon group two months ago.

**Infrastructure Similarities**


-----

While investigating the EvilGnome C2, we observed that it served SSH over port 3436.

We then checked for the 3436 port over three currently operating Gamaredon Group C2
servers, and found one server with this port open, serving SSH:

Figure 4: SSH served on port 3436 both on EvilGnome C2 and Gamaredon’s rnboua.ddns.net

We proceeded to scan for this network fingerprint under EvilGnome’s host provider and we
identified two additional servers with domain names similar to the naming pattern of
Gamaredon domains (the use of the .space TTLD and ddns):

[185.158.115.44 -> kotl.space](https://community.riskiq.com/search/kotl.space)
185.158.115.154 -> [clsass.ddns.net](https://community.riskiq.com/search/clsass.ddns.net)

**Tool Similarities**

Gamaredon Group does not use any known Linux implants. It is difficult to make
comparisons between tools built for different operating systems because they are
developed with different challenges and objectives in mind. We can, however, observe
similarities at a high-level. The techniques and modules employed by EvilGnome—that is
the use of SFX, persistence with task scheduler and the deployment of information stealing
tools—remind us of Gamaredon Group’s Windows tools. We present a thorough analysis of
EvilGnome in the following section.

**Technical Analysis**

**Deployment with Makeself SFX**

This implant is delivered in the form of a self-extracting archive shell script created with
[makeself:](https://github.com/megastep/makeself)


-----

[makeself.sh is a small shell script that generates a self-extractable compressed tar](https://makeself.io/)
archive from a directory. The resulting file appears as a shell script (many of those
have a .run suffix), and can be launched as is. The archive will then uncompress itself
to a temporary directory and an optional arbitrary command will be executed (for
example an installation script). This is pretty similar to archives generated with WinZip
Self-Extractor in the Windows world.”

Interestingly, the tool’s operator did not omit metadata from the generated makeself SFX.
The packaging date, development paths and the tool’s filename were all left exposed. We
can observe that the sample is very recent, created on Thursday, July 4:

Figure 5: Makeself packaging metadata and the archived files’ metadata

As can be observed in the illustration above, the makeself script is instructed to run
_./setup.sh after unpacking._

Using makeself’s options, we are able to instruct the script to unpack itself without
executing:

Figure 6: Unpacking Makeself

The archive contains four files:

1 gnome-shell-ext – the spy agent executable


-----

2. gnome-shell-ext.sh – checks if gnome-shell-ext is already running and if not,

executes it
3. rtp.dat– configuration file for gnome-shell-ext
4. setup.sh – the setup script that is run by makeself after unpacking

The setup script installs the agent to ~/.cache/gnome-software/gnome-shell**extensions/, in an attempt to masquerade itself as a Gnome shell extension. Gnome shell**
extensions allow tweaking the Gnome desktop and add functionalities. They are the
desktop equivalent to browser extensions.

Persistence is achieved by registering gnome-shell-ext.sh to run every minute in crontab.

Finally, the script executes gnome-shell-ext.sh, which in turn launches the main executable
_gnome-shell-ext:_

Figure 7: setup.sh

**The Spy Agent**

Analyzing the agent with Intezer Analyze demonstrated to us that the code was never seen
before by the system:

Figure 8: [Intezer Analyze report of the Spy Agent sample](https://analyze.intezer.com/#/analyses/8db39fae-8f82-42b2-9816-b353a7dbb16b)

This large amount of unique genes located within this file is not a trend we regularly see in
Linux files and therefore it seems suspicious.


-----

The Spy Agent was built in C++, using classes with an object oriented structure. The binary
was not stripped, which allowed us to read symbols and understand the developer’s
intentions.

At launch, the agent forks to run in a new process. The agent then reads the
_rtp.dat configuration file and loads it directly into memory:_

Figure 9: Loading configuration from rtp.dat

We marked interesting fields within the configuration file:

Figure 10: Configuration dissection

The first four bytes are a hexadecimal representation of the C2’s IP address:

0x65343ec3 -> 0xc3.0x3e.0x34.0x65 -> 195.62.52.101

**Modules**

The spy agent contains five modules called “Shooters”:


-----

Figure 11: “Shooter” modules

**ShooterSound – captures audio from the user’s microphone and uploads to C2**

**ShooterImage – captures screenshots and uploads to C2**

**ShooterFile – scans the file system for newly created files and uploads them to C2**

**ShooterPing – receives new commands from C2**

**ShooterKey – unimplemented and unused, most likely an unfinished keylogging module**

Each module is run in a separate thread, and access to shared resources (such as the
configuration) is safeguarded by mutexes.

The modules encrypt their output and decrypt data from the C2 with RC5 with the key
“sdg62_AS.sa$die3”, using a modified version of a Russian open source library
[https://webhamster.ru/site/page/index/articles/projectcode/157:](https://webhamster.ru/site/page/index/articles/projectcode/157)

Figure 12: RC5 library

On connection failure, or if instructed by the C2, these modules store their output at
**~/.cache/gnome-software/gnome-shell-extensions/tmp/:**


-----

Figure 13: Stored files

We will now dive into each of the five modules and their options:

**ShooterPing**

The ShooterPing module processes commands received from the C2:

Figure 14: C2 commands

These include:

Download & execute new files
Set new filters for file scanning
Download & set new runtime configuration
Exfiltrate stored output to C2
Stop the shooter modules from running

The other modules run at a constant interval between each run, as defined by one of the
configuration parameters. The C2 is able to control this interval via downloading new
parameters through ShooterPing.

**ShooterFile**

The ShooterFile module uses a filter list to scan the filesystem, while ignoring specific files
and folders as shown in the following illustration:


-----

Figure 15: File scanning filter

We can see from the filter_accepted_files list that the agent’s purpose is to steal document
related files. However, the list is not used by the malware and further indicates that this is a
work in progress.

**ShooterAudio**

Figure 16: Capturing audio with PulseAudio

The ShooterAudio module uses PulseAudio to capture audio from the user’s microphone.


-----

Using default configuration from rtp.dat, the module records only a size of 80,000 bytes of
audio per iteration. Consequently, the module only records audio for a brief moment,
making this module non-functional until a larger recording size is set by the C2.

**ShooterImage**

This module opens a connection to the XOrg Display Server, which is the backend to the
Gnome desktop. It uses the Cairo open source library to take screenshots of the user’s
desktop.

Figure 17: Screenshot capturing using XOrg Server

**Prevention and Response**

We recommend to Linux users who want to check whether they are infected to check the
“~/.cache/gnome-software/gnome-shell-extensions” directory for the “gnome-shell-ext”
[executable. We have also created a customYARA rule, based on code reuse technology, for](https://github.com/intezer/yara-rules/blob/master/EvilGnome.yar)
detecting future variants of EvilGnome.

**Conclusion**

EvilGnome is a rare type of malware due to its appetite for Linux desktop users. Throughout
this post, we have presented detailed infrastructure-related evidence to connect EvilGnome
to the actors behind the Gamaredon Group. We believe this is a premature test version. We
anticipate newer versions to be discovered and reviewed in the future, which could
potentially shed more light into the group’s operations.

**Genetic Analysis**

The EvilGnome malware variant is now indexed in Intezer’s genetic database. If you have a
suspicious file that you suspect to be EvilGnome, you can upload it to Intezer Analyze in
order to detect code reuse to this threat family and many others. You are welcome totry it


-----

for free in our community edition.

[Figure 18: Intezer Analyze report of the Spy Agent sample](https://analyze.intezer.com/#/analyses/eeec2273-82ac-4190-b434-8ffb304deeef)

**IOCs**

**EvilGnome:**

a21acbe7ee77c721f1adc76e7a7799c936e74348d32b4c38f3bf6357ed7e8032

82b69954410c83315dfe769eed4b6cfc7d11f0f62e26ff546542e35dcd7106b7

7ffab36b2fa68d0708c82f01a70c8d10614ca742d838b69007f5104337a4b869

195.62.52[.]101

**Gamaredon Group:**

185.158.115[.]44

185.158.115[.]154

clsass.ddns[.]net

kotl[.]space

**Paul Litvak**
Paul is a malware analyst and reverse engineer at Intezer. He previously served as a
developer in the Israel Defense Force (IDF) Intelligence Corps for three years.


-----