A sample of Linux malware has been circling the web for at least three years without being detected. The discovery comes from security firm Qihoo 360 NETLAB.
“On March 25, 2021, 360 NETLAB’s BotMon system flagged a suspiciousELF file with 0 VT [VirusTotal] detection, the sample communicates with 4 domains on TCP 443 (HTTPS), but the traffic is not of TLS/SSL,” the report reveals. A detailed inspection of the sample showed that it belonged to a backdoor specifically targeting Linux X64 systems that has been around for at least three years. The researchers named the malware RotaJakiro based on the fact that the family uses rotate encryption, and upon execution behaves differently for root/non-root accounts.
RotaJakiro Malware: Technical Overview
The Linux malware has been developed with the capability to hide its trails via multiple encryption algorithms. It uses the AES algorithm to encrypt the resource information within the sample. The C2 communication is encrypted using a combination of AES, XOR, ROTATE encryption and ZLIB compression.
According to the research, the RotaJakiro malware supports 12 specific functions, three of which are related to the execution of particular plugins.
Unfortunately, the researchers don’t have any visibility or access to the plugins, and therefore they don’t know its “true purpose”. Using a broader perspective of backdoor activity, the malware should be capable of the following malicious activities:
- Reporting device information
- Stealing sensitive information
- File/Plugin management (query, download, delete)
- Execution of specific Plugin
How does the RotaJakiro Linux malware operate?
According to the report, the malware first determines whether the user is root or non-root at run time, with different execution policies for different accounts. Its next steps include the decryption of the relevant sensitive resources using AES& ROTATE for subsequent persistence, processing guarding and single instance use, and establishing communication with C2. Once these steps are executed, the malware waits for the execution of commands issued by the command-and-control server.
RotaJakiro’s reverse engineering shows that it shares similar styles with the Torii malware, such as the utilization of encryption to conceal sensitive resources and the implementation of “a rather old-school style of persistence.”
More about the Torii malware
The Torii botnet is was identified in 2018. One of its characteristics was the stealth and persistent intrusion, done via probe Telnet sessions by making use of weak credentials. The hackers most likely brute-forced them or used lists of default username and password combinations.
In comparison to other botnets, one of the first actions performed by Torii was the detection of architecture in order to categorize the infected host into one of the set categories. The interesting fact is that the botnet seemed to support a wide variety of popular platforms: x86_64, x86, ARM, MIPS, Motorola 68k, SuperH and PPC.