My view: The only _actually interesting question_ in any report about
malware is how the code gets executed. The cited story says exactly
zero about that -- leaving the natural suspicion that this codebase has
no means of entry whatsoever, but rather would be installed by certain
script kiddies after user-level compromise by other means entirely.
I checked the referenced 'new report Intezer Labs shared with The Hacker
News' to see if it were any better. Paul Litvak, writing for Intezer
Labsi, is perfectly honest and straight-forward about this: He doesn't
know, since this codebase was discovered as a 'a test version that was
uploaded to VirusTotal, perhaps by mistake'. Fair enough. The author
semi-almost-implies one speculation:
Gamaredon Group is an alleged Russian threat group. It has been active
since at least 2013, and has targeted individuals likely involved with
the Ukrainian government. Gamaredon Group infects victims using
malicious attachments, delivered via spear phishing techniques.
[...] Our investigation into EvilGnome yielded several similarities
between the threat actors behind EvilGnome and Gamaredon Group: [...]
'Phishing' means sending users deceptive simulated requests for the
user's login credentials, e.g., to webmail. 'Spear phishing' is a
gimmicky bit of AV-biz marketing jargon, where the meaning is just
phishing but sent to key individuals whom the criminals particularly
would find useful to fool in that way.
But Litvak doesn't otherwise say anything about a means of execution on
the target user's machine. My surmise is that it's just another trojan,
which is to say it's something that would be installed after entry and
compromise through other means entirely, Litvak referring to it as a
'Linux backdoor implant' supports this surmise. It's common for
computer crackers (or their scripted tools) to install backdoor
processes so that the criminal can have a means of re-entry if the user
or the user's admin starts killing malware processes (or they die,
Basically, this doesn't strike me as even a tiny bit interesting.
The template of '$EVILCODE does $STUFF to your system if you run it'
raises the obvious question of 'What about _not_ running it?' By and
large, code doesn't run itself, so failure to answer that 'one
interesting question' means the interesting bit got omitted.
It's poor form to be amused at my own writing, but I rather like where I
said to the AV-biz guy
Hey, am I being trolled? Posting references to "Hey, download me
and I'll mail you a lollipop" trojans isn't new. Throwing in two
local privilege-escalation attacks to silently gain root on unpatched
systems, _if_ the user is dumb enough to download and run untrustworthy
code from nobody in particular, isn't new either. So, wow: A user
acting in an extremely stupid manner is likely to hurt
his/her system. News at 11.