A recently discovered Linux malware with backdoor capabilities has flown under the radar for years, allowing attackers to harvest and exfiltrate sensitive information from compromised devices.
The backdoor, dubbed RotaJakiro by researchers at Qihoo 360's Network Security Research Lab (360 Netlab), remains undetected by VirusTotal's anti-malware engines, although a sample was first uploaded in 2018.
RotaJakiro is designed to operate as stealthy as possible, encrypting its communication channels using ZLIB compression and AES, XOR, ROTATE encryption.
It also does its best to block malware analysts from dissecting it as resource information found within the sample spotted by 360 Netlab's BotMon system is encrypted using the AES algorithm.
"At the functional level, RotaJakiro first determines whether the user is root or non-root at run time, with different execution policies for different accounts, then decrypts the relevant sensitive resources using AES& ROTATE for subsequent persistence, process guarding and single instance use, and finally establishes communication with C2 and waits for the execution of commands issued by C2," 360 Netlab said.
Linux backdoor used to exfil stolen data
Attackers can use RotaJakiro to exfiltrate system info and sensitive data, manage plugins and files, and execute various plugins on compromised 64-bit Linux devices.
However, 360 Netlab is yet to discover the malware creators' true intent for their malicious tool due to lack of visibility when it comes to the plugins it deploys on infected systems.
"RotaJakiro supports a total of 12 functions, three of which are related to the execution of specific Plugins," the researchers added. "Unfortunately, we have no visibilityto the plugins, and therefore do not know its true purpose."
Since 2018 when the first RotaJakiro sample landed on VirusTotal, 360 Netlab found four different samples uploaded between May 2018 and January 2021, all of them with an impressive total of zero detections.
Command-and-control servers historically used by the malware have domains registered six years ago, in December 2015, all of them
| FileName | MD5 | Detection | First Seen in VT |
|---|---|---|---|
| systemd-daemon | 1d45cd2c1283f927940c099b8fab593b | 0/61 | 2018-05-16 04:22:59 |
| systemd-daemon | 11ad1e9b74b144d564825d65d7fb37d6 | 0/58 | 2018-12-25 08:02:05 |
| systemd-daemon | 5c0f375e92f551e8f2321b141c15c48f | 0/56 | 2020-05-08 05:50:06 |
| gvfsd-helper | 64f6cfe44ba08b0babdd3904233c4857 | 0/61 | 2021-01-18 13:13:19 |
360 Netlab researchers also discovered links to the Torii IoT botnet first spotted by malware expert Vesselin Bontchev and analyzed by Avast's Threat Intelligence Team in September 2018.
The two malware strains use the same commands after being deployed on compromised systems, similar construction methods and constants used by both developers.
RotaJakiro and Torii also share multiple functional similarities, including "the use of encryption algorithms to hide sensitive resources, the implementation of a rather old-school style of persistence, structured network traffic."
Comments
Dominique1 - 3 years ago
Not knowing what is their point of entry is not very useful to prevent them from running. One thing is for sure, if I get some systemd file via email, I'm not running it. LOL!!!
NickAu - 2 years ago
"Not knowing what is their point of entry is not very useful to prevent them from running. One thing is for sure, if I get some systemd file via email, I'm not running it. LOL!!!"
Oh come it came via email from a unknown source it must be safe.
NickAu - 2 years ago
Oh come it came via email from a unknown source it must be safe."
DrkKnight - 2 years ago
You know, I could remember for years, all these Mac and Linux users snubbing us Windows users, bragging about how impenetrable their operating systems were and how lowly Windows users were for using an OS full of holes and how they were not "vulnerable" to viruses, malware and everything else. My answer to them back then was that there were just not enough of them yet for virus and malware writers to care about.
Well I guess there are enough Mac and Linux users now and these hackers and malware writers are starting to pay attention to them and exploiting their once "impenetrable" systems.
I must say, it's not really funny but there is a little voice inside me that giggles my ass off when I see stuff like this.
Who is snubbing who now?
looncraz - 2 years ago
The vulnerability with Windows, traditionally, was its completely lax approach to execution authority. Windows would give anyone who could execute code on your system unfettered access to your system... at the same time, however, Linux already had a strong system of protections in place.
This situation has improved greatly on both fronts... Windows isn't as vulnerable as it once was... and neither is Linux.
This trojan isn't an exploit - which is what Windows is famous for... being full of holes.... this is a program like any other, just one that's apparently designed to act as part of a botnet. It pretends to communicate over HTTPS/SSL on port 443 like an email program and doesn't use any exploits or circumvent security... it likely has a counterpart on Windows.
What we don't know, still, is how it spreads... very likely it's packaged with something like a browser add-on or from a malicious modification of a package repository... we'll eventually figure it out... for now it seems someone should write a detection algorithm based around its network activity.
Tweeks-va - 2 years ago
heh.. systemd.. or this malware.. which is worse?
bcrypt - 2 years ago
The malware is masquerading as systemd. systemd and its developers are not behind this.