New Linux Trojan Ekocms appears, screenshots, recording

New Linux Trojan Ekocms appears, screenshots, recording

Dr. Web, a Russian software vendor, recently discovered the Linux platform's new Trojan Linux. Ekocms.1. Currently, from the Trojan samples intercepted, the Trojan can take screenshots and record audio files and send them to a remote server.
A new Trojan can Capture screenshots
This new Trojan Linux. ekocms was discovered a few days ago. at present, Ekocms mainly threatens computer users running Linux systems. encoder.1 and Linux XOR DDoS have caused many problems.
Linux. Encoder is mainly used to develop the webpage environment for website hosting or code repository. Once the victim's Linux machine runs Linux. Encoder.1. The trojan will traverse the file in the/home,/root,/var/lib/mysql directory and try to encrypt the file content. Like ransomware in Windows, it uses AES (a symmetric key encryption algorithm) to encrypt the content of these files, which does not occupy too much system resources during this period.
This AES symmetric key is encrypted with RSA (an asymmetric encryption algorithm) and then encrypted with the vector initialized by AES. Once these files are encrypted, Trojan will try to spread to the system root directory. It only needs to skip important system files, so the encrypted operating system can be started normally. Later, security researchers discovered a vulnerability in restoring encrypted files without paying ransom. The code analysis shows that the ransomware requires root-level permissions.
Linux XOR DDoS is infected with 32-bit and 64-bit Linux systems, installed with rootkit to hide itself, and can form a botnet through DDoS attacks.
According to Dr. web Description: This new Trojan belongs to a member of the spyware family. At the same time, the Trojan can perform screenshot tasks on infected computers and send the screenshot to the remote server every 30 seconds. These are saved in two identical folders first, but if these folders do not exist, Trojan will create them as needed. If your Linux system does not have anti-virus software installed, you can go to the following two folders to check whether you have been infected with the trojan:
-$ HOME/$ DATA/. mozilla/firefox/profiled
-$ HOME/$ DATA/. dropbox/DropboxCache
Details have not been disclosed
The default format of screenshots is JPEG. The file name contains the screenshot time. If your computer cannot save images in this format, Trojan horses will be saved in BPM format. Linux. ekocms needs to upload files on a regular basis and connects to the c & c server through a network proxy. Malicious attackers write the IP address of the C & C server in the Trojan code hard-coded, all are encrypted and uploaded to the remote server. Therefore, it is difficult for a third-party tool to use reverse tools to crack Trojans.
Currently, Linux. Ekocms is a trojan tool that collects information and allows attackers to access the Internet of the target host. However, Dr. Web security experts have not yet revealed how the Trojan can infect Linux users.