Kaspersky has uncovered a malicious campaign in which an installer of the Free Download Manager software was employed to disseminate a Linux backdoor for at least three years.

Researchers discovered that victims were infected when they downloaded the software from the official website, indicating that this is a possible supply chain attack. Variants of the malware used in this campaign were first identified in 2013. Victims are based in various countries including Brazil, China, Saudi Arabia, and Russia.

Kaspersky experts identified a new malicious campaign targeting Linux systems where threat actors deployed a backdoor – a type of Trojan – on to victims’ devices using an infected version of a popular free software: Free Download Manager. Once the device is infected, the attackers’ goal is to steal information such as details about systems, browsing history, saved passwords, cryptocurrency wallet files, and even credentials for cloud services like Amazon Web Services or Google Cloud.

Kaspersky experts believe it is likely that this is a supply chain attack. During the investigation into Free Download Manager installation guides on YouTube for Linux computers, the company’s experts found instances where video creators inadvertently showcased the initial infection process: clicking the download button on the official website resulted in a malicious version of Free Download Manager being downloaded.

In contrast, in another video, a legitimate version of the software was downloaded. It is possible that the malware developers scripted the malicious redirection to appear with some degree of probability or based on the digital fingerprint of the potential victim. As a result, some users encountered a malicious package while others obtained a clean one.

According to Kaspersky’s findings, the campaign lasted for at least three years – from 2020 to 2022. The malicious package installed the Free Download Manager version released in 2020. Moreover, over the course of this timeframe, there were discussions on websites such as StackOverflow and Reddit about problems caused by the infected software distribution. However, the users were unaware that these issues were caused by malicious activity.

“Variants of the analysed backdoor have been detectable by Kaspersky solutions for Linux since 2013,” says Georgy Kucherin, a security expert at GReAT, Kaspersky. “However, there is a widespread misconception that Linux is immune to malware, leaving many of these systems without adequate cybersecurity protection. This lack of protection makes these systems attractive targets for cybercriminals.

“Essentially, the Free Download Manager case highlights the challenge of spotting an ongoing cyberattack on a Linux system with the naked eye. Therefore, it’s essential for Linux-based computers, including both desktops and servers, to implement reliable and effective security measures.”