Only one of the binaries is for arm (tfti). Others are for x86 and mips.
All symbols are stripped off the binaries. I only see two quick clues : an irc server url, and two japanese strings that also appear in this article :
http://www.edison-newworld.com/2017/09/linuxtsunami-malware-...
Perl scripts join an IRC chan, wait for commands and google for vulnerable sites to exploit and/or exploit them. They also contain a nice list of proxies.
Thanks for looking into this! Yes I had open the port 22 and my password was not safe enough I guess. Or alternatively this hack was due a web app I was running in Flask with some vulnerabilities. Stranger thing: the hack happened back in March 2017 but got activated exactly on Jan 1 2018.
If it’s using Chrome headless, it’s superior to wkhtmltopdf. The latter has lots of little gotchas and things that may render fine in a browser but not in wkhtmltopdf. Chrome headless doesn’t suffer from those issues, obviously.
I know but if I need to use an API to an external server I can also launch a command locally. 7$ is not much but I don't see any real benefit unless you want to capture a subsection of a website.
Also with screen.rip, you can run a custom JS before capturing the screenshot and also can wait for certain elements to appear (which is quite important today with client-side rendered sites)