Dr. web security firm had found a new trojan that has been targeting Linux machine named “Xunpes”, Dr. web registered “Xunpes” in their virus database with name Linux.BackDoor.Xunpes.1. This trojan is capable of putting backdoor and dropper to perform malicious functions on the infected machine. The dropper was built using Lazarus, a free cross-platform IDE for the Free Pascal compiler and contains the backdoor in its body.
After dropper is launched, backdoor which is stored in unencrypted form in droppers’ body is saved into /tmp/.ltmp folder. The researcher had warned the second component of this trojan is responsible for all malicious activities in the infected machine. Once launched, the backdoor written in C decrypts the configuration file using the key that is hard-coded in its body. Its configuration parameters include a list of C&C servers and proxy servers addresses and other information necessary for the correct operation of the malicious program. After that, the Trojan establishes a connection to the server and waits for commands from cyber criminals.
Dr. web also reveals this trojan can be executed using 40 commands, to steal user information, key logging, and screenshots.
Moreover, the security analysts found that the Trojan can send record names in a specified directory and can transfer files to the server and that it can create, delete, and rename files and folders. Besides, the cybercriminals behind the malware can utilize it to execute bash commands, send information about the machine and the .default.conf record, close determined windows, and others.