Free Download Manager Linux page served backdoor

The Free Download Manager case was quiet because the compromise was selective. Linux users who clicked the official download page could receive either the real package or a malicious .deb from deb.fdmpkg.org. Kaspersky found video evidence of the redirection, and the vendor later confirmed a compromised page in its own backups.

The modified page chose between the legitimate link and the fake domain. The vendor said the attacker used an exception list for IP ranges associated with Bing and Google, so search crawlers saw clean behavior. That explains the long dwell time. The site looked normal to many visitors and to some automated checks.

The malicious Debian package used its postinst script as the insertion point. On install, it dropped /var/tmp/crond and /var/tmp/bs, then created /etc/cron.d/collect to run the backdoor every ten minutes. The installed Free Download Manager build itself traced to a January 24, 2020 release, while comments in the malicious script used Russian and Ukrainian and mentioned January 26 and 27 changes.

The backdoor resolved generated *.u.fdmpkg.org names and decoded the DNS response into a secondary server and port. It then opened a reverse shell over TCP or delegated SSL communication to /var/tmp/bs. In Kaspersky's sandbox, attackers used that shell to deploy a Bash stealer that collected system details, browser data, saved passwords, crypto wallets, and cloud credentials, then uploaded results with /var/tmp/atd.

Motive

Financial Gain Data Theft

Attribution

Group

Cause

Website Compromise

Transitive

No

Actor

Cybercriminal group

• Free Download Manager backdoored - a possible supply chain attack on Linux machinessecurelist.com
• Free Download Manager Site Redirected Linux Users to Malware for Yearsthehackernews.com
• Free Download Manager website hacked to spread Linux malwarebleepingcomputer.com
• Important Security Announcement to Our Valued Usersfreedownloadmanager.org