Image: Dr Web

Malware researchers at a Russian security firm have identified a new Trojan for Linux devices that takes screenshots and logs keystrokes.

According to researchers at security firm Dr Web, there are signs that suggest that the Linux spyware, labelled Linux.BackDoor.Xunpes.1, has been designed to target Bitcoin ATMs from a Spain-based startup called Pay MaQ.

Dr Web's researchers point to a 'dropper' or installer package for the malware, which launches a login page bearing Pay MaQ's logo.

After running the package, a backdoor is saved to the folder /tmp/.ltmp/. The backdoor establishes an encrypted connection to a remote server that executes several commands, including ones for taking screenshots and logging keystrokes, and then retransmits the resulting data.

Despite the presence of a Pay MaQ-branded login page, a spokesperson for Dr Web said its researchers are not certain that the malware is designed specifically for Pay MaQ's Bitcoin ATMs.

The dropper also contained three usernames and passwords contained within the Trojan. The login page will return an error message unless those credentials are used.

The company speculates that the passwords may have just been debugging information that the malware's creators forgot to remove.

Pay MaQ has kept a fairly low profile in recent months. The company ran an Indiegogo campaign in 2014 to fund its "low-cost" Bitcoin ATMs, but failed to meet its €60,000 target.

That failure raises the question why spyware would be created for a machine that isn't on the market. However, Dr Web's spokesman said the malware functions "just fine" on Linux distributions such as Ubuntu.

Linux malware isn't so common but Linux.BackDoor.Xunpes.1 is the second Trojan for Linux machines turned up by Dr Web this week. The other piece of Linux malware, Linux.Ekoms.1, takes screenshots every 30 seconds and sends them to a remote server.

The security company is unable to explain how a Linux PC would become infected by either of the two Trojans.

"The investigation is still ongoing," Dr Web's spokesman said. "The C&C server was hosted on some suspicious website which went 403 a few days ago. Maybe victims were downloading malware from there and it got shut down after getting attention from infosec specialists."

ZDNet has contacted Pay MaQ and will update the story if it receives a response.

More on Linux