Researchers from Kaspersky’s laboratory have discovered a malicious Deb package manager called Free Download Manager (FDM), which was distributed via the deb.fdmpkg repository. The official website of the project was hacked to redirect users to the infected package. During the package installation process, the package manager launched a malicious code called Postinst, which sent sensitive information and accounting data. The malicious version of FDM was available for download on the project’s official website, freedownloadmanager.org, from January 2020 until the site was updated in 2022.
The developers of Free Download Manager have acknowledged the incident and announced that they are taking measures to enhance their infrastructure protection in order to prevent similar incidents in the future. Users are advised to check their systems for malware and change their passwords. According to preliminary findings, the project website was compromised in 2020, and the attackers replaced the original download link with the deb.fdmpg.org repository, which was under their control. The vulnerability was eventually fixed in 2022 after the site update. Free Download Manager developers estimate that only 0.1% of site visitors were affected, indicating that the malicious package link may have been selectively substituted based on browser/location parameters or at random.
The malicious code embedded in the Deb package was downloaded from external hosts, specifically subdomains FDMPKG.org. The code then set up several executable files, such as /VAR/TMP/Crond and /Var/TMP/BS, and launched a call to /VAR/TMP/Crond through the Crontab/TMP/Crond every 10 minutes. The activated malicious code searched for and collected information about the system, browser history, files containing cryptocurrency wallets, and data for connecting to cloud services such as AWS, Google Cloud, Oracle Cloud Infrastructure, and Azure. The control server’s IP address and network port were determined through a DNS reservation named “20-byte-sixtensor-string-string.u.fdmpg.org.” A communication channel with the attackers’ server was established using reverse Shell mode.
The malicious code was discovered during the investigation of an attack that involved suspicious hosts with the domain *.u.fdmpg.org. Further examination of the FDMPKG.org domain revealed a subdomain called DEB.FDMPKG.org, which served as the deb packet repository housing the infected version of Free Download Manager. Researchers uncovered several discussions on Stack Overflow and Reddit related to the issues caused by using the infected version of Free Download Manager, which included references to Deb.fdmpg.org. The connection to