Linux.Ekoms.1 the Linux trojan that takes screenshots

Dr Web discovered a new Malware dubbed Linux.Ekoms.1 designed to target Linux systems and takes screenshots every 30 seconds.

Security experts at antivirus company Dr. Web have discovered a new Trojan dubbed Linux.Ekoms.1 designed to target Linux systems. The malware could be used to spy on the victims, it takes screenshots every 30 seconds and saves them to a temporary folder in the JPEG or BMP format using the extension .sst.

The experts from Dr. Web who analyzed the code discovered also that developers behind the threat are also implementing an audio-recording feature that allows them to record surrounding audio and save it in WAV format in a file with the .aat extension in the same temporary folder. This feature has been already implemented by malware authors behind Ekoms.1, but still not active in the strain of malware analyzed by the experts.

“Along with the ability of screenshot taking, the Trojan has the AbAudioCapture special class to record sound and save it with the name of aa-%d-%s.aat in the WAV format. However, in fact, this feature is not used anywhere.” reads the analysis published by Doctor Web.

The malware scans the infected system searching for files to upload, in encrypted format, to a remote server whose address is hardcoded in the trojan.

The Linux.Ekoms.1 periodically searches its temporary folder for files with certain names and extensions used to archive the screenshots (.sst) and audio recordings (.aat). The researchers also noticed that the malware scans for other extensions, a circumstance that suggests the authors are able to target other type of content as well (.ddt and .kkt files).

“It generates a filtering list for the “aa*.aat“, “dd*ddt”, “kk*kkt”, “ss*sst” files that are searched in the temporary location and uploads the files that match these criteria to the server. If the answer is the uninstall line, Linux.Ekoms.1 downloads the /tmp/ccXXXXXX.exe executable file from the server, saves it to the temporary folder and runs it.” continues the post.

The experts believe that the Linux.Ekoms.1 is an ongoing project, it is already able to perform a number of features, including enable/disable specified services, but there are some instructions that still have not been implemented by the authors.

In the criminal ecosystem Linux malware are becoming even more frequent, recently security experts from Doctor Web detected a Linux ransomware called Linux.Encoder and in October they discovered the Rekoobe Trojan, another threat that was initially developed to infect only Linux SPARC architectures and later it has been upgraded to target Linux PCs running on intel chips.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Linux.Ekoms.1, Linux)