A new Linux backdoor that has successfully avoided detection since 2018 has recently been discovered by researchers.
Dubbed RotaJakiro by the Chinese Qihoo 360 Netlab team, the backdoor targets Linux 64-bit systems. Qihoo 360 Netlab first detected it on March 25 when Netlab’s BotMon, botnet C2 command tracking system, flagged a suspicious ELF file.
At the time of discovery, VirusTotal could not detect the file was malware even though four samples having been uploaded at different times in the past. At the time of writing, twelve out of 61 VirusTotal engines detect the backdoor as malicious.
The backdoor got its name – RotaJakiro – because the family rotates encryption to avoid detection and behaves differently for root/non-root accounts. Netlab researchers say the malware switches between ZLIB compression and combinations of AES, XOR, and employs obfuscation of command-and-control (C2) server communication.
The researchers say they could not determine the malware’s “true purpose” other than compromising Linux systems.
RotaJakiro’s functions include stealing and exfiltrating data, querying/downloading/deleting files and plugins, and exfiltrating device information.
Netlab described the backdoor’s functions and encryption, as below:
Among the techniques that RotaJakiro uses are dynamic AES and double-layer encrypted communication protocols to avoid detection by network traffic analysis.
When it runs on the infected system, RotaJakiro first determines whether the user is root or non-root, and based on the result, RotaJakiro will treat root and non-root users on compromised systems differently: apply different execution policies and changing its persistence methods.
It then decrypts the relevant sensitive resources using AES & ROTATE for persistence and process guarding. And finally establishes communication with C2 and waits for commands from its operators.
Netlab says RotaJakiro bears coding similarities in commands and traffic management to the Torii botnet.
For fuller analysis see this Intezer article.