Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- The ‘EvilGnome’ RAT employs advanced tactics to achieve initial access via compromised software.
- The malware establishes persistent backdoor access while leveraging various techniques for command and control.
- Lateral movement indicators reveal a penchant for targeting administrative credentials to escalate privileges.
Executive Summary
This analysis delves into the recent malicious campaign utilizing the ‘EvilGnome’ Remote Access Trojan (RAT) that has been gaining traction in underground forums. The actor’s deployment strategy leverages legitimate software packages, specifically targeting users by disguising the payload as essential plugins. Our investigation revealed that upon installation, the RAT covertly establishes a robust persistence mechanism and initiates a command and control (C2) communication, ultimately leading to lateral movement across networks.
Initial Access
During our investigation, we identified the initial access vector used by the actor as exploiting a well-known software vulnerability. Specifically, ‘EvilGnome’ was bundled within a compromised version of a popular Gnome Shell extension. The payload, upon the execution of the seemingly benign plugin like /usr/share/gnome-shell/extensions/sample-extension.js, leveraged its permitted privileges to drop the RAT into the user’s profile directory at ~/.evilgnome/.payload.
Execution & Persistence
Our analysis revealed that the ‘EvilGnome’ RAT utilized a multi-faceted approach for execution and persistence. Upon gaining initial access, the RAT modifies user-specific systemd configurations, using a hidden unit file at /etc/systemd/user/evilgnome.service. This service is designed to auto-start the RAT during the user login sequence, ensuring the implant remains operational across sessions. Additionally, it treats any termination attempts by spawning another instance of itself as a contingency plan.
Command and Control
The command and control infrastructure was robustly hidden, employing domain generation algorithms (DGA) to frequently rotate C2 IP addresses and domains. Analysis of the outbound communication logs showed that the malware established TCP connections to domains such as hxxps://evilgnome-c2.com, using encrypted channels to evade detection. Notably, we found DNS resolution patterns indicative of the malware’s DGA implementation, where domain queries were spread across various subdomains, complicating detection efforts.
Lateral Movement & Discovery
Detection of lateral movement techniques employed by ‘EvilGnome’ revealed a concerning level of sophistication. The malware employed the T1068 – Exploitation of Elevation of Privilege to escalate privileges by leveraging misconfigured Sudo rights on targeted machines. During our analysis, we also identified PowerShell commands executing deep enumeration of network resources, providing a comprehensive scan of connected devices and shares with an aim to exploit unguarded credentials, such as those found in /etc/passwd.
Impact & Objectives
The primary objective behind the deployment of the ‘EvilGnome’ RAT appears to be data exfiltration, focused particularly on sensitive user data including login credentials and personal information. Our investigation suggested that the actor may be monetizing this information through underground channels. The presence of keylogging capabilities and screenshot functionality highlighted the urgency for incident responders to address vulnerabilities and implement appropriate mitigations.
MITRE ATT&CK Mapping
- T1071.001 – Application Layer Protocol: Web Protocols: The use of HTTPS for C2 communications.
- T1068 – Exploitation of Elevation of Privilege: Utilizing misconfigured permissions for privilege escalation.
- T1203 – Exploitation for Client Execution: Delivering the payload through a trusted application.
Detection Opportunities
- Monitor for unusual network traffic patterns heading to known malicious domains associated with ‘EvilGnome’.
- Set alerts for persistent service creation in user directories, particularly focusing on changes to
/etc/systemd/user/. - Implement user behavior analytics to profile and detect anomalies related to credential usage or privilege escalation events.
Analyst Notes
This investigation highlights the evolving nature of malware delivery mechanisms and the need for cybersecurity professionals to enhance defensive strategies. Observations from this campaign reinforce the imperative to continuously monitor and revise security measures, particularly in environments where legitimate software is frequently updated and installed. The actor’s choice of hiding a RAT in a widely-used application illustrates a significant concern for end-users and IT departments alike, marking the necessity for ongoing user education and hardening of endpoint defenses.
Source: Original Report