A newly discovered Trojan for Linux periodically makes screenshots and is able to record sound through a microphone when that’s connected. The malware is therefore different from most other Linux malware which is usually designed to attack Linux based servers.
The malware has been discovered by Russian antivirus vendor Doctor Web and is called Linux.Ekoms.1 by them. They discovered the malware makes a screenshot every 30 seconds which is then stored in the temporarily folders $HOME/$DATA/.mozilla/firefox/profiled and $HOME/$DATA/.dropbox/DropboxCache as either a JPG or BMP file. The screenshots are periodically sent to a command and control server of the attacker. The Trojan also searches for specific files which are also transferred to that server.
The sound record feature allows the Trojan to record audio, the WAV files produced are stored as .AAT files and would also have been transferred to the attacker’s server, but for some reason the actual recording has not been enabled by the attackers (yet).
It’s unclear how many systems have already been infected by the Ekoms Trojan and it’s also unclear how systems get infected.