New Linux Trojan Takes Screenshots Every 30 Seconds And Records Audio
Russian antivirus company Doctor Web has detected a new threat against Linux users that seems to be designed to help cybercriminals spy on users. The Linux.Ekocms.1 trojan includes special features that allows it to take screenshots and record audio.
The malware discovered four days ago is part of the spyware family and is designed to take a screenshot of the user’s desktop every 30 seconds. It then saves them to a temporary folder in the JPEG format using the extension .sst. If the screenshot cannot be saved as a JPEG, Ekocms attempts to save it in the BMP image format.
In most cases, screenshot files are always saved to the same two folders, but if the folders don’t exist, the trojan will create its own when needed.
An examination of the Trojan disclosed that its developers are also working on a feature designed to record audio and save the recording in WAV format in a file with the .aat extension in the same temporary folder. It is not active in the Ekocms variant studied by Dr. Web, even though the sound recording feature exists.
The malware is designed to periodically search its temporary folder for files with certain names and extensions. It searches for .aat and .sst files, which are actually to store screenshots and audio recordings, and also for .ddt and .kkt files, which recommends the malware authors might be aiming at other type of content as well.
If you don’t have an antivirus solution installed on your Linux PC, you can check for Linux.Ekocms by inspecting the following two folders and seeing if you find any screengrabs:
– $HOME/$DATA/.mozilla/firefox/profiled
– $HOME/$DATA/.dropbox/DropboxCache
By default, the trojan saves all files in JPEG format with a name that contains the timestamp of when the screenshot was taken. If there’s an error while saving the file, the trojan will use the BPM image format.
The files that match the search criteria are uploaded at regular intervals to a C&C (command and control) server via a proxy whose IP address is hardcoded in the trojan’s source code. All data sent by Linux.Ekocms.1 to the server is encrypted, so third-party reverse engineers tools would have a hard time to figure out the trojan’s operations.
Dr. Web says that this functionality was never active in the trojan’s normal operation, in spite of the presence of an audio recording feature in its codebase.
Currently, Linux.Ekocms is a powerful reconnaissance tool that allows attackers to get an idea of the tools a Linux user uses on a daily basis and the website they visit.
How this malware infects Linux computers have not been disclosed by Dr. Web malware specialists.
