When you download a piece of software, you likely assume it’s safe if it comes from a reputable source. But a recent high-profile supply chain attack delivered a sobering reminder: – even trusted distributors can unknowingly spread malware to millions.

Popular cross-platform download manager Free Download Manager (FDM) recently disclosed that cybercriminals compromised their website and infected the Linux version of their software for over three years. The stealthy malware, implanted directly into FDM’s distribution channels, highlights the growing threat of supply chain attacks and the urgent need for enhanced cyber vigilance.

How supply chain attacks operate

Supply chain attacks infiltrate trusted software sources to plant malware further up the distribution chain. This allows tainted programs to slip past traditional endpoint defenses since the infection happens before delivery to users.

With Free Download Manager, hackers associated with an Eastern European cybercrime group exploited a vulnerability on FDM’s website. They modified pages hosting Linux download links to redirect users to a malicious site instead of the real FDM installer.

For over three years, Linux users who visited these compromised pages unknowingly downloaded a Trojanized version of the FDM software implanted with malware. Windows and Mac versions remained unaffected.

Once installed, the malware pursued a two-pronged strategy on victims’ systems:

  • Quietly stealing sensitive data like passwords, wallet files, browsing history and system information
  • Establishing a secret backdoor for attackers to remotely access infected devices.

By targeting the distribution process itself, the criminals cleverly avoided traditional security layers like antivirus, network filtering, or application controls. The malware easily bypassed scrutiny since it appeared to originate directly from the official software vendor.

A prolonged breach

Particularly troubling is the prolonged lifespan of this supply chain attack, which persisted undetected for over three years until public disclosure in 2022.

Many Linux users did report strange behavior upon downloading FDM during this period. However, the root cause only came to light following an investigation by cybersecurity firm Kaspersky.

FDM ultimately determined a Ukrainian hacking group compromised a specific webpage to carry out the supply chain attack. The infection was accidentally resolved during a routine site update in early 2022, finally closing this lengthy breach.

In response, FDM released a detection script allowing users to scan for signs of infection. They advised reinstalling entire systems in case of compromise, underscoring the severity of a supply chain malware’s footprint once embedded in trusted software.

This case reinforces that supply chain attacks can corrupt the integrity of software long before it reaches customers. Even security-aware users can be left vulnerable when the infection happens at the source.

Securing systems against invisible threats

For individuals and organizations, the FDM breach provides a sobering reminder to re-examine security strategies in light of supply chain risks

While the FDM incident involved Linux users, supply chain attacks ultimately threaten all organizations and individuals relying on downloaded software. Attackers continue to probe for the weakest link that will allow access to high-value targets.

By targeting trusted sources like FDM and tainting software before it reaches customers, supply chain attacks circumvent traditional controls. This allows malware to operate undetected for extended periods, as users have no reason to suspect the integrity of downloads from legitimate providers.

The takeaway is that vigilance is required at all levels for both commercial and open-source software sources. As supply chain attacks grow in frequency and sophistication, building resilience against software corruption will only become more vital. 

Verimatrix provides cybersecurity solutions for mobile apps and websites that can help protect organizations against supply chain attacks like FDM. To safeguard your weakest links, ask us about Verimatrix XTD and Web Protect—two cybersecurity solutions that can plug open holes that may exist in your enterprise security wall.

For users and vendors alike, the FDM breach provides an urgent reminder: don’t take your downloads for granted. The next infection may be invisible until it’s too late.