In the last one week, Linux.Ekocms.1 trojan has become the latest threat that targets Linux PCs, soon after ransomware Linux.Encoder and the Linux XOR DDoS malware had showed a large number of issues and have created blotches in Linux’s status as impermeable when it comes to malware infections.
According to Russia’s top anti-virus company, Dr.Web, this trojan is a part of the spyware family that was specially designed in order to take screenshots of the user’s desktop every 30 seconds. In most cases, the recorded screenshot files got saved to the same two folders, but in the absence of the folders, the trojan created its own folder when needed.
People using Linux PC without an antivirus solution installed can diagnose for Linux.Ekocms themselves by searching the following two folders and seeing if they can find any screengrabs:
The trojan saves all files in JPEG format with a title consisting of the timestamp of the screenshot. On facing an error while saving the screenshot, the trojan will instead use the BMP format for saving the screengrabs, which are then uploaded to an available remote server. Linux.Ekocms uploads these files to a C&C (command and control) server via a proxy IP at regular intervals. The server’s IP address is hard-coded into the trojan’s source code thus, all files are sent via an encrypted connection, therein third-party reverse engineers tools will have a tedious job to pick up on the trojan’s operations.
The presence of an audio recording feature in its codebase, as claimed by Dr.Web experts remains dysfunctional as it was never active in the trojan’s normal operation. The latest version, Linux.Ekocms is a powerful reconnaissance tool, that allows attackers to get a brief overview of the basic tools used on a daily basis by a Linux user and the websites visited.