Data Security

Stealthy RotaJakiro backdoor malware targeting Linux for 3 years

New RotaJakiro Stealthy Linux Malware With System Backdoor Capabilities Went Unnoticed for 3 Years.

Qihoo 360’s Network Security Research Lab, aka 360 NetLab, the research team has discovered a new Linux malware with outstanding backdoor capabilities. The malware is dubbed RotaJakiro, and it allows attackers to steal and exfiltrate sensitive system data from compromised devices.

Reportedly, RotaJakiro can operate stealthily and encrypt all of its communication channels via ROTATE, XOR, AES encryption, and ZLIB compression.

Malware Remained Undetected for Three Years

Research revealed that the RotaJakiro malware avoided detection successfully in the past three years that it has remained active. Even VirusTotal’s anti-malware engines couldn’t detect it for all those years. Despite that, a sample was uploaded in 2018.

In March 2021, 360 NetLab researchers discovered four samples of the malware. All of these so far remained undiscovered by anti-malware engines, and just seven security vendors managed to identify the malware’s latest version as malicious.

RotaJakiro Attacks Linux X64 Machines

It can prevent malware analysts from inspecting it because the resource information within the sample found by 360 NetLab’s BotMon system was encrypted with the AES algorithm.

SEE: Chinese hackers using RedXOR backdoor against Linux systems

Moreover, according to researchers, the malware is immensely sharp. It first determines whether the user is non-root or root at run time and uses various execution policies from different accounts to decrypt the sensitive resources.

Using process guarding and encryption tactics and persistence maintaining techniques, it uses a single instance to establish communication with its C&C server. It waits for the signal from the server to execute commands.

It relies on a combination of cryptographic algorithms and supports 12 functions to gather device metadata, steal sensitive data, carry out file-related operations, and download/execute plug-ins from the C&C server.

SEE: Golang malware infecting Windows, Linux servers with XMRig miner

Although it has been designed with stealth in mind, the true intent of the campaign is yet unclear. Some of the C&C server domains were registered way back in December 2015.

RotaJakiro Shares Similarities with Torii

Researchers have identified similarities between RotaJakiro and Torii botnet. Both malware hashes similar styles from a reverse-engineering perspective, from using encryption algorithms to hiding sensitive resources, many of their functions are identical.

“The implementation of a rather old-school style of persistence, structured network traffic, etc. We don’t exactly know the answer, but it seems that RotaJakiro and Torii have some connections,” researchers wrote in a blog post.

To Top

Pin It on Pinterest

Share This