Linux malware: Second screen-grabbing Trojan surfaces in space of a week

Researchers have found Linux malware that appears to target a particular brand of Bitcoin ATM but works “just fine” on Ubuntu.

Malware researchers at a Russian security firm have identified a new Trojan for Linux devices that takes screenshots and logs keystrokes.

According to researchers at security firm Dr Web, there are signs that suggest that the Linux spyware, labelled Linux.BackDoor.Xunpes.1, has been designed to target Bitcoin ATMs from a Spain-based startup called Pay MaQ.

Linux malware: Second screen-grabbing Trojan surfaces in space of a week

Dr Web’s researchers point to a ‘dropper’ or installer package for the malware, which launches a login page bearing Pay MaQ’s logo.

After running the package, a backdoor is saved to the folder /tmp/.ltmp/. The backdoor establishes an encrypted connection to a remote server that executes several commands, including ones for taking screenshots and logging keystrokes, and then retransmits the resulting data.

Despite the presence of a Pay MaQ-branded login page, a spokesperson for Dr Web said its researchers are not certain that the malware is designed specifically for Pay MaQ’s Bitcoin ATMs.

The dropper also contained three usernames and passwords contained within the Trojan. The login page will return an error message unless those credentials are used.

The company speculates that the passwords may have just been debugging information that the malware’s creators forgot to remove.

Pay MaQ has kept a fairly low profile in recent months. The company ran an Indiegogo campaign in 2014 to fund its “low-cost” Bitcoin ATMs, butfailed to meet its €60,000 target.

That failure raises the question why spyware would be created for a machine that isn’t on the market. However, Dr Web’s spokesman said the malware functions “just fine” on Linux distributions such as Ubuntu.

Linux malware isn’t so common but Linux.BackDoor.Xunpes.1 is the second Trojan for Linux machines turned up by Dr Web this week. The other piece of Linux malware, Linux.Ekoms.1, takes screenshots every 30 seconds and sends them to a remote server.

The security company is unable to explain how a Linux PC would become infected by either of the two Trojans.

“The investigation is still ongoing,” Dr Web’s spokesman said. “The C&C server was hosted on some suspicious website which went 403 a few days ago. Maybe victims were downloading malware from there and it got shut down after getting attention from infosec specialists.”



About webimprint

Webimprints is the leading company which provides global information security services to the client around the World.
This entry was posted in Malware and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s