EvilGnome is a collection of modules designed to spy on a user’s system and exfiltrate data to an external Command & Control (C2) server controlled by the attacker. It is designed to appear as an extension of the Gnome GUI environment for Linux desktop.
The malware is a self-extracting archive shell script that installs the modules and sets up persistence through use of the crontab. The modules are: • ShooterSound—records audio clips from the user’s microphone using PulseAudio. • ShooterImage—captures screenshots of the user’s desktop. • ShooterFile—scans the filesystem and is capable of filtering files by type and creation date. • ShooterPing—data exfiltration module, also capable of receiving new commands from the C2 server and stopping other modules from running. • ShooterKey—possible keylogger module that appears to be unfinished.
Many of the modules appear to be very limited or missing some functionality. Also, metadata about the malware’s creation was included in the upload to VirusTotal, leading the researchers to believe this was a prototype version of the malware that was mistakenly released.
Intezer researchers believe the malware to be tied to the Russian-affiliated group Gamaredon. Not only does EvilGnome use the same hosting provider as Gamaredon for C2 servers and similar domain names such as .space and .ddns, it was also found on an IP address controlled by Gamaredon 2 months ago and uses techniques and modules similar to Gamaredon’s collection of Windows tools.
To check if a Linux system is infected, look for an executable called gnome-shell -ext in the ~/.cache/gnome-software/gnome-shell-extensions directory.