Malware spotlight: EvilGnome


The name EvilGnome may conjure images of a malicious creature of folklore. Instead, this name actually refers to an emerging type of malware recently detected by malware researchers.

This article will detail the EvilGnome malware family. We’ll explore what EvilGnome is, how EvilGnome works, malware anatomy (including modules) and probable connections to an existing attack group, as well as how to detect EvilGnome.

This malware may come across as a rare malware type that many will never encounter. But for Linux users, EvilGnome is a threat that should be understood.

What is EvilGnome?

Discovered in July 2019 by security researchers at Intezer Labs, EvilGnome is a rare malware family afflicting Linux systems. Part of this rarity is predicated on the fact that there are so few Linux malware families in the wild of the world wide web. The other source of EvilGnome’s rarity comes from its rarely seen malware functionalities, which should get the heads of Linux users turning.

This novelty in the world of Linux threats is compounded by the fact that unlike most Linux malware families, EvilGnome does not focus on cryptocurrency mining or creating DDoS botnets. No, you are not in Kansas anymore.

EvilGnome presents itself to unwitting Linux users as a legitimate GNOME extension. Legitimate extensions help to extend Linux functionality, but instead of a healthy boost in system functionality, EvilGnome begins spying on users with an array of functionalities uncommon for most Linux malware types.

Interestingly, EvilGnome was discovered after its creator uploaded a test version to VirusTotal, which did not detect any malicious activity. While this may not strike many as a “newbie” mistake, the fact that an unfinished keylogger was included shows that the creator is either inexperienced or negligent. This keylogger function is currently disabled by default.

Believe it or not, (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Chris Sienko. Read the original post at: