Linux malware staying under the radar:
Security Researchers at Quihoo 360 NETLAB were the discoverers of this RotaJakiro obscure Linux malware, which revealed that the malware contained backdoor abilities and the malicious actors who driving the malware allowed them to collect and extract sensitive data from infected systems.
The RotaJakiro Linux malware is particularly architectured to target Linux X64 machines and is named thus as a result of it using rotate encryption and behaving varyingly for root/non-root accounts when executing.
The backdoor was uncovered as a result of an analysis of malware samples that was initiated on March 25, however, there were detections of early versions which were apparently uploaded to Virustotal back in 2018.
To date, four samples have been found on the VirusTotal database while they all have remained undetected by a majority of anti-malware software engines.
“At the functional level, RotaJakiro first determines whether the user is root or non-root at run time, with different execution policies for different accounts, then decrypts the relevant sensitive resources using AES& ROTATE for subsequent persistence, process guarding and single instance use, and finally establishes communication with C2 and waits for the execution of commands issued by C2,” the researchers explained.
Malicious Abilities of RotaJakiro:
The RotaJakiro Linux malware has been architectured to keep flying under the radar i.e, in a sense, stealth mode capabilities.
It heavily relies on a combination of cryptographic algorithms to encrypt transmission and communication with a C2 i.e command and control server.
Approximately 12 functions are tasked with collecting device metadata, stealing sensitive information, carrying out file-related operations, and downloading and executing plug-ins pulled from the C2 server.
Regarding the malware campaign, there is currently no evidence directing the true nature and objective of the Linux malware.
However, a peculiar observation by the security researchers saw that some of the C2 domains were registered all the way back into December 2015 and that there were overlaps between RotaJakiro and a botnet named Torii.
“From the perspective of reverse engineering, RotaJakiro and Torii share similar styles: the use of encryption algorithms to hide sensitive resources, the implementation of a rather old-school style of persistence, structured network traffic, etc.,” the researchers said. “We don’t exactly know the answer, but it seems that RotaJakiro and Torii have some connections.”