EvilGnome Spyware Targets Linux Users

EvilGnome Spyware Targets Linux Users

Known as EvilGnome, all Linux workstation users are at risk of a new backdoor threat which implants spying software capable of recording your screen, keyboard and mouse click functions. Reports are also debating whether this parasite is able to steel actual files from the PC without user interaction or warning, or even has the ability to distribute other malware – this makes the threat much higher priority than other types of vulnerability.

There is no known patch for EvilGnome as yet, but industry experts recommend updating your Linux antivirus and patching to the latest version – something Windows users are all too familiar with.

EvilGnome Spyware Modules

The Spy Agent of EvilGnome contains five malicious modules called “Shooters,” as explained below:

  • ShooterSound — this module uses PulseAudio to capture audio from the user’s microphone and uploads the data to the operator’s command-and-control server.
  • ShooterImage — this module uses the Cairo open source library to captures screenshots and uploads them to the C&C server. It does so by opening a connection to the XOrg Display Server, which is the backend to the Gnome desktop.
  • ShooterFile — this module uses a filter list to scan the file system for newly created files and uploads them to the C&C server.
  • ShooterPing — the module receives new commands from the C&C server, like download and execute new files, set new filters for file scanning, download and set new runtime configuration, exfiltrate stored output to the C&C server, and stop any shooter module from running.
  • ShooterKey — this module is unimplemented and unused, which most likely is an unfinished keylogging module.

Patching Linux OS with Syxsense

Syxsense offers predictive Linux patching. Via the discovery process, all Linux devices can be detected and inventoried. Our Patch Manager displays the packages missing just like the scripts above, only we include additional information which is important to IT managers like the description, the vendor severity and the independent CVSS score which we understand to be the cutting edge of vulnerability severity assessment.

Identifying zero-day updates is made easy with the color coding of the interface, and the scheduler used to deploy the updated packages allowed flexible timing and reboot behavior to be set with ease. Enable your Linux Administrator to utilize their resources more efficiently by allowing them to automate and report on the patching of your Linux environment.