Free Download Manager site redirected Linux users to malware for years

A reported Free Download Manager supply chain attack redirected Linux users to a malicious Debian package repository that installed information-stealing malware.

The malware used in this campaign establishes a reverse shell to a C2 server and installs a Bash stealer that collects user data and account credentials.

Kaspersky discovered the potential supply chain compromise case while investigating suspicious domains, finding that the campaign has been underway for over three years.

Although the cybersecurity company informed the software vendor about it, it has not received a response, so the exact means of compromise remains blurry.

Direct downloads and redirections

Kaspersky says that the official download page hosted on “freedownloadmanager[.]org” would sometimes redirect those attempting to download the Linux version to a malicious domain at “deb.fdmpkg[.]org,” which hosts a malicious Debian package.

Due to this redirection happening only in some cases and not in all instances of attempted downloads from the official site, it is hypothesized that scripts targeted users with malicious downloads based on specific but unknown criteria.

Redirection recorded in YouTube tutorial
The redirection captured in YouTube installation tutorial (BleepingComputer)

Kaspersky observed various posts on social media, Reddit, StackOverflow, YouTube, and Unix Stack Exchange, where the malicious domain was disseminated as a reliable source for getting the Free Download Manager tool.

Furthermore, a post on the official Free Download Manager website in 2021 illustrates how an infected user points out the malicious ‘’ domain and was told it is not affiliated with the official project.

On the same sites, users discussed problems with the software over the past three years, exchanging opinions about suspicious files and cron jobs it created, none realizing they were infected with malware.

While Kaspersky states that the redirection stopped in 2022, old YouTube videos [12] clearly show download links on the official Free Download Manager, redirecting some users to malicious http://deb.fdmpkg[.]org URL rather than

However, this redirection was not used for everyone, with another video from around the same time showing a user downloading the program from the official URL instead.

Deploying info-stealing malware

The malicious Debian package, which is used for installing software Debian-based Linux distributions, including Ubuntu and Ubuntu-based forks, drops a Bash information-stealing script and a crond backdoor that establishes a reverse shell from the C2 server.

The crond component creates a new cron job on the system that runs a stealer script upon system startup.

Kaspersky found that the crond backdoor is a variant of the ‘Bew’ malware in circulation since 2013, with the Bash stealer spotted in the wild and analyzed first in 2019. That said, the toolset isn’t novel.

The Bash stealer version analyzed by Kaspersky collects system info, browsing history, passwords saved on browsers, RMM authentication keys, shell history, cryptocurrency wallet data, and account credentials for AWS, Google Cloud, Oracle Cloud Infrastructure, and Azure cloud services.

The Bash stealer
The Bash information-stealing malware

This collected data is then uploaded to the attackers’ server, where it can be used to conduct further attacks or sold to other threat actors.

If you have installed the Linux version of the Free Download Manager between 2020 and 2022, you should check and see if the malicious version was installed.

To do this, look for the following files dropped by the malware, and if found, delete them:

  • /etc/cron.d/collect
  • /var/tmp/crond
  • /var/tmp/bs

Despite the age of the malicious tools used in these attacks, the signs of suspicious activity on infected computers, and multiple social media reports, the malicious Debian package remained undetected for years.

Kaspersky says this is due to a combination of factors, including the rarity of malware on Linux and the limited spread due to only a portion of users being redirected to the unofficial URL.

Source: BleepingComputer