Malware for Linux designed to take screenshots every 30 seconds. It can upload the /tmp folder to the server and download various files upon cybercriminals’ command.
Once launched, it checks for the following files:
where $DATA = QStandardPaths::writableLocation(QStandardPaths::GenericDataLocation)
It the specified files are not found, the Trojan saves its own copy named as one of the mentioned files randomly chosen. Then, the copy is launched from a new directory. The Trojan’s body has the RSA key that is used to obtain the AES session key. If the launch is successful, Linux.Ekoms.1 connects to the server whose addresses are hard-coded in its body. All information transmitted between the server and Linux.Ekoms.1 is encrypted. The encryption is initially performed using the public key; and the decryption is executed by implementing the RSA_public_decrypt function to the received data.
The Trojan exchanges data with the server using AbNetworkMessage. The id line determines the executed action:
|0xff9c||Installs the AES key.|
|0xff9b||Sets up a proxy to connect to the server.|
|0xff93||Creates a downloader object. The body of the message contains transactionId. A randomly named file is created.|
|0xff92||The file body and transactionId are sent. Then, the file is saved, and the downloader object is removed.|
|0xff94||Launches onCommand that, in turn, creates the SearchAndUploadFiles object. Probably, this function is not implemented as the run() method in a new thread returns control immediately.|
|0xff98||Is received as an answer to UploadRequest sent by the Trojan.|
|0xff99||OnBotServiceControl. Turns a specified service on/off.|
|0xff9a||infoClassesRequest. Sends services status.|
UploadRequest creates the separate AbUploaderThread thread where all files from the /tmp folder are uploaded to the server. The full path to them takes more than 31 bytes.
The Trojan launches the following services:
It saves the following information to the $HOME/.config/autostart/%exename%.desktop file:
[Desktop Entry] Type=Application Name=%exename% Exec=%pathtoexe% Terminal=false
Then, it checks for this file in infinite loop. If the file is not found, it is created once again.
Every 30 seconds the service takes a screenshot and saves it to a temporal folder in the JPEG format with a name in the ss%d-%s.sst format, where %s is a timestamp. If the file is not saved, the Trojan tries to save it in the BMP format.
It generates a filtering list for the "aa*.aat", "dd*ddt", "kk*kkt", "ss*sst” files that are searched in the temporary location and uploads the files that match these criteria to the server. If the answer is the uninstall line, Linux.Ekoms.1 downloads the /tmp/ccXXXXXX.exe executable file from the server, saves it to the temporary folder and runs it.
Along with the ability of screenshot taking, the Trojan has the AbAudioCapture special class to record sound and save it with the name of aa-%d-%s.aat in the WAV format. However, in fact, this feature is not used anywhere.