A Linux backdoor recently discovered by researchers has avoided VirusTotal detection since 2018.
Dubbed RotaJakiro, the Linux malware has been described by the Qihoo 360 Netlab team as a backdoor targeting Linux 64-bit systems.
RotaJakiro was first detected on March 25 when a Netlab distributed denial-of-service (DDoS) botnet C2 command tracking system, BotMon, flagged a suspicious file.
At the time of discovery, there were no malware detections on VirusTotal for the file, despite four samples having been uploaded — two in 2018, one in 2020, and another in 2021.
Netlab researchers say the Linux malware changes its use of encryption to fly under the radar, including ZLIB compression and combinations of AES, XOR, and key rotation during its activities, such as the obfuscation of command-and-control (C2) server communication.
At present, the team says that they do not know the malware’s “true purpose” beyond a focus on compromising Linux systems.
There are 12 functions in total including exfiltrating and stealing data, file and plugin management — including query/download/delete — and reporting device information.
However, the team cites a “lack of visibility” into the plugins that is preventing a more thorough examination of the malware’s overall capabilities.
Netlab described the backdoor’s functions and encryption, as below:
“At the coding level, RotaJakiro uses techniques such as dynamic AES, double-layer encrypted communication protocols to counteract the binary & network traffic analysis.
At the functional level, RotaJakiro first determines whether the user is root or non-root at run time, with different execution policies for different accounts, then decrypts the relevant sensitive resources using AES & ROTATE for subsequent persistence, process guarding and single instance use, and finally establishes communication with C2 and waits for the execution of commands issued by C2.”
In addition, RotaJakiro will treat root and non-root users on compromised systems differently and will change its persistence methods depending on which accounts exist.
For example, when running under a root account, a new process may be created to automatically respawn configuration files, whereas in a non-root scenario, two separate processes are created to monitor and, if necessary, restore each other.
Netlab has also suggested links to the Torii botnet due to some coding similarities in commands and traffic management.
At the time of writing, six out of 61 VT engines now detect the backdoor’s files as malicious. Further analysis can be found at Intezer.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0