New Linux Trojan Takes Screenshots Every 30 Seconds And Records Audio
Russian antivirus company Doctor Web has detected a new threat against Linux users that seems to be designed to help cybercriminals spy on users. The Linux.Ekocms.1 trojan includes special features that allows it to take screenshots and record audio.
The malware discovered four days ago is part of the spyware family and is designed to take a screenshot of the user’s desktop every 30 seconds. It then saves them to a temporary folder in the JPEG format using the extension .sst. If the screenshot cannot be saved as a JPEG, Ekocms attempts to save it in the BMP image format.
In most cases, screenshot files are always saved to the same two folders, but if the folders don’t exist, the trojan will create its own when needed.
An examination of the Trojan disclosed that its developers are also working on a feature designed to record audio and save the recording in WAV format in a file with the .aat extension in the same temporary folder. It is not active in the Ekocms variant studied by Dr. Web, even though the sound recording feature exists.
The malware is designed to periodically search its temporary folder for files with certain names and extensions. It searches for .aat and .sst files, which are actually to store screenshots and audio recordings, and also for .ddt and .kkt files, which recommends the malware authors might be aiming at other type of content as well.
If you don’t have an antivirus solution installed on your Linux PC, you can check for Linux.Ekocms by inspecting the following two folders and seeing if you find any screengrabs: