Hello and welcome to the Thursday, September 14, 2023 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Let's start today with a blog post by Kaspersky that hasn't really gotten a lot of attention, but I think should probably get a little bit more

attention, and that's a malicious free download manager for Linux that apparently has infected

a good number of victims and has been available for download for the last three years. This software free download manager is usually

distributed via a website free download manager.org and currently the website does distribute

what appears to be a non-backdored version. But according to Kaspersky's post, it appears that in the

past, sometimes when you clicked on the download button, you were redirected to the malicious

version of this software, which was hosted on FDMPKG.org. It is, of course, difficult to figure out that this only sometimes happens and happened

only in the past.

What helped Kaspersky here is that there are tutorial videos on YouTube that show how

to install this free download manager on your system,

and the screen recordings in these tutorial videos actually show the redirection

to the malicious version after first clicking on the download button

on the legitimate free download manager.org website.

The malware does include the legitimate software, but as part of the install scripts that come

with the Debian package.

There's also a DNS-based backdoor and the Bash Steeler being installed.

The Bash Steeler is trying to get a hold of passwords, crypto wallets and such, and then

exfiltrating them. All of this takes crown jobs to run and actually one thing that Kasperski

observed is that users then often complain about some issues that show up because of these

ground jobs like difficulties

shutting down the system. So if you're suspecting that you're affected by this particular

...