Malware authors are taking aim at Linux computers, more precisely desktops and not servers, with a new trojan named FakeFile, currently distributed in live attacks.
Russian antivirus vendor Dr.Web discovered this new trojan in October. The company’s malware analysts say the trojan is spread in the form of an archived PDF, Microsoft Office, or OpenOffice file.
The infection starts when users open the file. The trojan springs into action by copying itself to “< HOME >/.gconf/apps/gnome-common/gnome-common” and then opens a decoy document, hence his name of “FakeFile.”
The trojan also adds a shortcut to itself in the user’s .profile and .bash_profile files, which allows it to gain boot persistence between PC reboots.
Curiously, the trojan has a specific rule in its source code which prevents the infection routine from executing if the Linux distro is openSUSE. A reason for this might by that the malware author uses an openSUSE distro, but this is just speculation, since this theory is impossible to verify.
Once all these first-run operations are out of the way, the real “fun” begins, with FakeFile contacting its command and control server and requesting further instructions.
According to clues found in the trojan’s source, the trojan can perform a series of actions, such as rename or delete files, send a file or a folder’s entire content to the C&C server, send a list of files found in a folder to the C&C server, or create new files and folders.
Additionally, the trojan can also run files, run shell commands, get or set permissions for desired files and folders, terminate its process, or remove itself from an infected host.
The most worrisome part is that FakeFile doesn’t need root access for all these operations, and can work just fine with the current user’s permissions.
The number of trojans targeting the Linux platform has grown tremendously in the past year, but in most cases, these targeted Linux servers or IoT devices running Linux-derived operating systems.
Security firms rarely encounter trojans targeting Linux desktop environments. At the time of writing, Dr.Web didn’t specify how the trojan spreads, but spam is the number one suspect, since malware authors often use spam and office-related files to spread backdoor trojans on Windows and Mac.