Experts from the company have reported that a malicious campaign using Free Download Manager lasted for over three years. During these attacks, legitimate software for application installation was used to distribute a backdoor on Linux-based devices. The attacks were documented in Brazil, China, Saudi Arabia, and Russia.

Typically, victims were infected when attempting to download software from the official Free Download Manager website (freedownloadmanager[.]org), indicating that this was likely a supply chain attack.

If the victim opened the legitimate Free Download Manager website and then clicked the download button for the Linux program, in some cases, they would be redirected to a malicious URL from which a malicious version, released in 2020, was downloaded.

After running the file on the victim’s device, a backdoor was installed—a type of remote access Trojan. From the infected device, malicious actors could steal various information, including system details, browser history, saved passwords, cryptocurrency wallet data, and even credentials for cloud services like Amazon Web Services or Google Cloud.

It’s worth noting that some samples of the malware used in this campaign were first detected in 2013, and the malware is a modified version of the Bew backdoor. This malware has been subjected to analysis multiple times, with one of the earliest descriptions published in 2014. Additionally, in 2017, CERN reported on the BusyWinman campaign using Bew. According to CERN, infections with Bew occurred through drive-by downloads.

Researchers believe that the incident could represent a supply chain attack. During the investigation, instances were found where YouTube tutorials on installing Free Download Manager for Linux computers inadvertently demonstrated the initial infection process, while in other videos, legitimate software was downloaded.

Experts conclude that malware developers likely anticipated that victims would be redirected to the malicious software version “with a certain degree of probability or based on the digital footprint of potential victims.” As a result, some users encountered malware, while others received legitimate software.

“There is a common misconception that there is no malware for Linux, so many users do not install security solutions on such devices. However, the lack of cybersecurity measures actually makes them more attractive to malicious actors. The situation with Free Download Manager demonstrates that cyberattacks on Linux can go undetected for a long time. To avoid this, it is essential to implement effective security measures for computers and servers running on this operating system,” explains Leonid Bezvershenko, a cybersecurity expert at Kaspersky Lab.

The report notes that the company has reached out to the developers of Free Download Manager to inform them about this campaign but has not received a response yet.