Linux Malware Takes Screenshots Every 30secs

Linux Malware Takes Screenshots Every 30secs

Linux Malware Takes Screenshots Every 30secs

Malware for Linux designed to take screenshots every 30 seconds. It can upload the /tmp folder to the server and download various files upon cybercriminals’ command.

Once launched, it checks for the following files:

$HOME/$DATA/.mozilla/firefox/profiled
$HOME/$DATA/.dropbox/DropboxCache
where $DATA = QStandardPaths::writableLocation(QStandardPaths::GenericDataLocation)

It the specified files are not found, the Trojan saves its own copy named as one of the mentioned files randomly chosen. Then, the copy is launched from a new directory. The Trojan’s body has the RSA key that is used to obtain the AES session key. If the launch is successful, Linux.Ekoms.1 connects to the server whose addresses are hard-coded in its body. All information transmitted between the server and Linux.Ekoms.1 is encrypted. The encryption is initially performed using the public key; and the decryption is executed by implementing the RSA_public_decrypt function to the received data.

The Trojan exchanges data with the server using AbNetworkMessage. The id line determines the executed action:

id Action performed
0xff9c Installs the AES key.
0xff9b Sets up a proxy to connect to the server.
0xff93 Creates a downloader object. The body of the message contains transactionId. A randomly named file is created.
0xff92 The file body and transactionId are sent. Then, the file is saved, and the downloader object is removed.
0xff94 Launches onCommand that, in turn, creates the SearchAndUploadFiles object. Probably, this function is not implemented as the run() method in a new thread returns control immediately.
0xff98 Is received as an answer to UploadRequest sent by the Trojan.
0xff97 UploadStatus.
0xff99 OnBotServiceControl. Turns a specified service on/off.
0xff9a infoClassesRequest. Sends services status.

UploadRequest creates the separate AbUploaderThread thread where all files from the /tmp folder are uploaded to the server. The full path to them takes more than 31 bytes.

The Trojan launches the following services:

EkomsAutorun:

It saves the following information to the $HOME/.config/autostart/%exename%.desktop file:

[Desktop Entry]
Type=Application
Name=%exename%
Exec=%pathtoexe%
Terminal=false
Then, it checks for this file in infinite loop. If the file is not found, it is created once again.

EkomsUserActivity:

Every 30 seconds the service takes a screenshot and saves it to a temporal folder in the JPEG format with a name in the ss%d-%s.sst format, where %s is a timestamp. If the file is not saved, the Trojan tries to save it in the BMP format.

EkomsCcClient:

It generates a filtering list for the “aa*.aat”, “dd*ddt”, “kk*kkt”, “ss*sst” files that are searched in the temporary location and uploads the files that match these criteria to the server. If the answer is the uninstall line, Linux.Ekoms.1 downloads the /tmp/ccXXXXXX.exe executable file from the server, saves it to the temporary folder and runs it.

Along with the ability of screenshot taking, the Trojan has the AbAudioCapture special class to record sound and save it with the name of aa-%d-%s.aat in the WAV format. However, in fact, this feature is not used anywhere.

SOURCE