Researchers discovered that victims were infected when they downloaded the software from the official website, indicating that this is a possible supply chain attack.

Variants of the malware used in this campaign were first identified in 2013. Victims are based in various countries, including Brazil, China, Saudi Arabia, and Russia.

Kaspersky experts identified a new malicious campaign targeting Linux systems, where threat actors deployed a backdoor – a type of Trojan – onto victims’ devices using infected version of a popular free software: Free Download Manager.

Once the device is infected, the attackers’ goal is to steal information such as details about system, browsing history, saved passwords, cryptocurrency wallet files, and even credentials for cloud services like Amazon Web Services or Google Cloud.

According to Kaspersky’s telemetry, victims of this campaign are located all over the world, including Brazil, China, Saudi Arabia and Russia.

Kaspersky experts believe it is likely that this is a supply chain attack. During the investigation into Free Download Manager installation guides on YouTube for Linux computers, the company’s experts found instances where video creators inadvertently showcased the initial infection process: clicking the download button on the official website resulted in a malicious version of Free Download Manager being downloaded. In contrast, in another video, a legitimate version of the software was downloaded.

It is possible that the malware developers scripted the malicious redirection to appear with some degree of probability or based on digital fingerprint of the potential victim. As a result, some users encountered a malicious package, while others obtained a clean one.

According to Kaspersky’s findings, the campaign lasted for at least three years – from 2020 to 2022. The malicious package installed the Free Download Manager version released in 2020.

Moreover, over the course of this timeframe, there were discussions on websites such as StackOverflow and Reddit about problems caused by the infected software distribution. However, the users were unaware that these issues were caused by malicious activity.

“Variants of the analysed backdoor have been detectable by Kaspersky solutions for Linux since 2013. However, there is a widespread misconception that Linux is immune to malware, leaving many of these systems without adequate cybersecurity protection. This lack of protection makes these systems attractive targets for cybercriminals. Essentially, the Free Download Manager case highlights the challenge of spotting an ongoing cyberattack on a Linux system with the naked eye. Therefore, it’s essential for Linux-based computers, including both desktops and servers, to implement reliable and effective security measures”, says Georgy Kucherin, a security expert at GReAT, Kaspersky.

To avoid Linux-based and other types of threats, it is worth implementing the following security measures:

• Choose a proven endpoint security solution such as Kaspersky Endpoint Security for Business that is equipped with behaviour-based detection and anomaly control capabilities for effective protection against known and unknown threats.
• Use Kaspersky Embedded Systems Security This adaptable, multi-layered solution provides optimised security for embedded Linux-based systems, devices and scenarios, in compliance with the rigorous regulatory standards so often applicable to these systems.
• Since the stolen credentials may be put up for sale on the dark web, use Kaspersky Digital Footprint Intelligence to monitor shadow resources and promptly identify related threats.

Threats stemming from vulnerable routers affect both households and organisations, moving beyond email compromises to physical home security. Despite this, people rarely think about the security of their devices.

According to research, 73% of users have never thought about upgrading or securing their router, making it one of the biggest threats impacting the Internet of Things today.

Here, Kaspersky experts explain what threats router vulnerabilities can pose and how users can protect themselves.

A router is the hub of an entire home network, through which all elements of a smart home access the Internet and exchange data. Infecting a router, attackers gain access to the network through which data packets are transmitted.

Using this, they can install malware on connected computers to steal sensitive data, private photos, or business files – possibly causing irreparable damage to the victim. Through the infected router the attacker can also redirect users to phishing pages masquerading as often-used webmail or online-banking sites.

Any data they enter on these pages, whether it’s their login and password from the email or bank card details, will immediately fall into the hands of fraudsters.

Since 2010, the number of vulnerabilities found in routers has been steadily increasing. In 2020, the number of discovered vulnerabilities increased to 603, about 3 times as many as the year before that. In 2021, the number of discovered vulnerabilities remained almost as high – 506. 

Out of all discovered vulnerabilities in 2021, 87 were critical. Critical vulnerabilities are the most unprotected “holes” through which an attacker can penetrate a home or corporate network.

Such vulnerabilities may let the attacker bypass authentication, send remote commands to a router, or even incapacitate it.

Doing so, operators are able to steal any data or files transmitted over an infected network, whether it’s your personal photos, private information, or even business contracts sent in an email.

Though researchers are now raising awareness about many more found vulnerabilities than before, routers remain one of the most insecure devices.

One of the reasons for this is that not all vendors rush to eliminate the dangers. 

Almost a third of critical vulnerabilities discovered in 2021 remain without any response from vendors: no patch or commentary with advice has been issued for them.

Another 26% of such vulnerabilities received only a comment from the company, which most often include recommendations to contact technical support.

Alongside attackers’ increased activity, consumers and small businesses don’t have the expertise or resources to identify or understand a threat before it’s too late.

For instance, as mentioned, 73% of users have never thought about upgrading or securing their router, making it one of the biggest threats impacting the Internet of Things today. 

This is especially dangerous when routers are used in sensitive environments such as hospitals or government buildings, where a data leak could potentially have a severe impact.

“Despite the speed with which technology is coming into our lives, the level of cybersecurity hasn’t kept pace. Many employees have been working from home for the past two years, but the security of routers hasn’t improved over this time – they’re still rarely updated. Therefore, the risk that router vulnerabilities could be abused by cybercriminals remains a concern in 2022. What’s important is to prevent a threat as early as possible, since people usually find out about an attack when it’s too late – after money has been stolen,” comments Maria Namestnikova, Head of the Russian Global Research and Analysis Team (GReAT) at Kaspersky. “When you buy a router, network security should be as much of a priority as data transfer speed and price. Read reviews and note how quick the manufacturer resolves reported issues. And don’t forget to update your router as soon as the developer releases a patch to avoid losing sensitive data and money,” adds Maria. 

This groundbreaking development, according to researchers at Kaspersky, allows the actor to modify network traffic in-transit to insert malicious payloads.

Such attacks are especially dangerous and devastating because they do not require any interaction with the target to lead to a successful infection. 

Following the findings by TeamT5, Kaspersky researchers discovered a new distribution method applied by operators to spread the WinDealer malware.

Specifically, they used a man-on-the-side attack to read traffic and insert new messages.

The general concept of a man-on-the-side attack is that when the attacker sees a request for a specific resource on the network (through its interception capabilities or strategic position on the ISP’s network), it tries to reply to the victim faster than the legitimate server. If the attacker wins the ‘race’, the target machine will then use the attacker-supplied data instead of the normal data. Even if the attackers don’t win most ‘races’, they can try again until they succeed, guaranteeing that they will eventually infect most devices.

Following an attack, the target device receives a spyware application that can collect an impressive amount of information. The attackers are able to view and download any files stored on the device and run a keyword search on all documents. Generally, LuoYu targets foreign diplomatic organisations established in China and members of the academic community as well as defense, logistics and telecommunications companies. The actor uses WinDealer to attack Windows devices.

Typically, malware contains a hardcoded Command and Control server from which the malicious operator controls the entire system. With information about this server, it’s possible to block the IP-address of the machines that the malware interacts with, neutralising the threat. However, WinDealer relies on a complex IP-generation algorithm to determine which machine to contact. This includes a range of 48,000 IP addresses, making it almost impossible for the operator to control even a small amount of the addresses. The only way to explain this seemingly impossible network behaviour is by postulating that the attackers have significant interception capabilities over this IP range and can even read network packets that reach no destination.

The man-on-the-side attack is particularly devastating because it does not require any interaction with the target to lead to a successful infection: simply having a machine connected to the Internet is enough. Moreover, there is nothing users can do to protect themselves, apart from routing traffic through another network. This can be done with a VPN, but these may not be an option, depending on the territory, and would typically not be available to Chinese citizens. 

The vast majority of LuoYu victims are located in China, so Kaspersky experts believe that the LuoYu APT is predominantly focused on Chinese-speaking victims and organisations related to China. However, Kaspersky researchers have also noticed attacks in other countries, such as Germany, Austria, the United States, Czech Republic, Russia and India.

“LuoYu is an extremely sophisticated threat actor able to leverage functionality available only to the most mature attackers. We can only speculate as to how they were able to develop such capabilities. Man-on-the-side-attacks are extremely destructive as the only condition needed to attack a device is for it to be connected to the Internet. Even if the attack fails the first time, attackers can repeat the process over and over again until they succeed. This is how they can carry out extremely dangerous and successful spying attacks on their victims, which typically include diplomats, scientists and employees of other key sectors. No matter how the attack has been carried out, the only way for potential victims to defend themselves is to remain extremely vigilant and have robust security procedures, such as regular antivirus scans, analysis of outbound network traffic and extensive logging to detect anomalies,” comments Suguru Ishimaru, Senior Security Researcher at Kaspersky’s Global Research and Analysis Team (GReAT).