EvilGnome, A New Backdoor Implant Spies On Linux Desktop Users


According to a research, malware activity increased 61% from December 2018 to January 2019. Spyware as one of malware types that is hard to detect is no exception. Therefore, as most of businesses are already data-driven, today’s CIO in every industry needs to take cybersecurity more seriously due to the spyware threat that keeps increasing, become more sophisticated, and become a real threat in today's world.

It’s gotten worse when security researcher recently found a rare and undetectable piece of Linux spyware in all antivirus security software products, and inside of it there are rare functions seen in terms of connection and functionalities to most Linux malware. Discovered in July 2019, this new Linux malware masquerading as a Gnome shell extension and designed to spy on unsuspecting Linux desktop users.

The backdoor implant dubbed EvilGnome is currently not detected by any of the anti-malware engines and has been designed to take desktop screenshots, steal files, capture audio recordings from a user's microphone and download and run the second phase of a malicious module.

According to the researchers, implants are sent in the form of their own extracted archive shell script created by 'makeself,' a small shell script that produces compressed tar files that can be extracted by themselves from the directory.

The malware comes with five modules called "Shooters,", each of them designed to run in a separate thread as described below:

  1. ShooterSound

This module uses PulseAudio to capture audio from the user's microphone and upload data to the operator's command-and-control server.

  1. ShooterImage

This module uses Cairo's open source library to capture screenshots and upload them to C & C servers. This is done by opening a connection to the XOrg Display Server,which is a backend to the Gnome desktop.

  1. ShooterFile

This module uses a list of filters to scan the file system for newly created files and upload them to C & C servers.

  1. ShooterPing

This module accepts new commands from C & C servers, such as downloading and executing new files, setting new filters to scan files, downloading and managing new runtime configurations, extracting stored output to C & C servers, and stopping the shooter module from running.

  1. ShooterKey

This module is not implemented and is not used, which is most likely a keylogging module that has not been completed.


All of the modules above encrypt the output data and decrypt commands received from C & C servers with the RC5 key "sdg62_AS.sa $ die3," using a modified version of the Russian open source library.

Moreover, the researchers also found a connection between EvilGome and Gamaredon Group, which is considered as a Russian threat group that has been active since at least 2013 and targets individuals that working with the Ukrainian government. The similarities between EvilGnome and Gamaredon Group are listed below:

  • EvilGome uses a hosting provider that has been used by the Gamaredon Group for years and continues to be used by it.
  • EvilGome was also found operating at an IP address controlled by the Gamaredon group two months ago.
  • The EvilGnome attacker also uses '.spation' TTLD for their domain, as does the Gamaredon Group.
  • EvilGome uses techniques and modules - such as using SFX, persistence with task schedulers, and the spread of information thieves - that is reminiscent of the Gamaredon Group Windows tools.

As EvilGnome malware is undetectable by security and antivirus products, you can check whether your Linux is infected with EvilGnome or no by searching "gnome-shellext" which can be executed in the "~ / .cache / gnome-software / gnome-shell-extensions" directory. The researchers also recommend the Linux administrator concerned to block the Command & Control IP address listed in the IoC section of the Intezer blog post.

With new cyber threats emerging every day, it is crucial for business to define and understand what kind of threat that they are facing and be prepared all the time to address it. Therefore, by sharing this article, DNS as a trusted IT security partner in Indonesia hopes that our readers are always aware of their IT environment’s security and always be prepared of any threats that they might face to avoid losses.