Versatile Linux backdoor acts as downloader, spyware

Another Linux Trojan has been discovered by researchers, and this one is pretty versatile: it opens a backdoor into the infected device, can download and run additional malicious files, and can spy on users by logging keystrokes and making screenshots.

Dr. Web researchers dubbed it Xunpes, and consists of two components: a generic dropper and the actual backdoor, which gets saved into the /tmp/.ltmp/ folder after the dropper is launched.

“Once launched, the backdoor written in C decrypts the configuration file using the key that is hard-coded in its body. Its configuration parameters include a list of C&C servers and proxy servers addresses and other information necessary for the correct operation of the malicious program. After that, the Trojan establishes connection to the server and waits for commands from cybercriminals,” the researchers explained.

The Trojan can be made to execute over 40 commands sent by the attacker. Among these are to get a decryption of future commands from the server, remove itself, download files and execute them, terminate the backdoor, create, open, copy, rename, delete files and folders, run bash commands, generate KeyPressed and ButtonRelease events, take screenshots and log keystrokes and send it all to the C&C server, and much more.

It’s interesting to note that the dropper also displays a curious login box, asking the user to enter their login and password:

Curious login box

Is this a way to prevent users from suspecting that something untoward is happening with their machine? Is the malware masquerading as legitimate software in order to get on it?

I’ve asked Dr. Web researchers for more details about this, and I will share the answers when I get them.