New Linux Trojan performs system reconnaissance

A new Linux threat has been identified by Dr. Web researchers. Dubbed Linux.Ekoms.1, this Trojan’s apparent function is to discover details about the system it has infected and what the user does on it.

The Trojan’s main capability is to take screenshots of the machine’s desktop every 30 seconds. It saves them to a temporal folder in the JPEG or BMP format with a name in the ss%d-%s.sst format, where %s is a timestamp.

The screenshots are later sent tto a server controlled by the attacker (the server’s addresses are hard-coded in the malware).

“All information transmitted between the server and Linux.Ekoms.1 is encrypted. The encryption is initially performed using the public key; and the decryption is executed by implementing the RSA_public_decrypt function to the received data,” the researchers found.

The malware is also capable of audio recording, although the current variant of the Trojan does not use it.

The malware can download various additional files if the cybercriminals command it.

The researchers did not mention how the malware gets delivered to the victims.