Linux Trojan is designed to set up a SOCKS5 proxy server on the infected computer on the basis of the freeware source codes of the Satanic Socks Server.
To distribute the Trojan, cybercriminals log in to the vulnerable devices via the SSH protocol. The list of vulnerable devices, as well as the logins and passwords that go with them, are stored on the server belonging to the cybercriminals. The lists look like this:
An example of such list can be seen in the following picture:
It is notable that users with such account details are usually created by other Linux Trojans. A script is generated with the help of this list, and it runs on the attacked devices using sshpass.
Port for access to proxy server is saved in the Trojan’s body during its compilation. Examined samples use the following ports:
18902 27891 28910 33922 37912 39012 48944 49082 49098 56494 61092 61301