Heads up, Linux users! New malware is in the wild targeting Linux systems. Researchers have identified this malware as ‘RotaJakiro’, a Linux backdoor that steals data from devices. This malware, despite active campaigns for the past three years, managed to escape detection.
RotaJakiro Linux Backdoor Malware
Researchers from Qihoo 360’s Network Security Research Lab (360 Netlab) have caught a new malware in the wild. Though it isn’t really a new malware, rather it successfully stayed under the radar for three years.
Identified as RotaJakiro, the researchers have observed it serving as a backdoor malware targeting Linux devices. The backdoor mainly steals data from the infected machines, alongside installing various plugins.
Overall, the researchers have found 4 different samples of the same malware in the wild – all with zero VirusTotal detections. However, they analyzed the latest malware variant to study RotaJakiro.
Briefly, RotaJakiro is a unique malware in that it uses rotates encryption and exhibits different behavior for root/non-root accounts. It uses numerous encryption algorithms during its operation. For instance, it relies on AES to encrypt resource information. Whereas, it uses
ROTATE encrypt ion, and
ZLIB compression to communicate with its C&C.
As for its functionality, the malware possesses 12 different functions that predominantly fall in the following four function categories.
- Stealing device details
- Pilfering data
- Plugin/File management
- Execution of a plugin as needed
Whereas, for starting its operation, the malware, upon reaching a target device, implements different persistence features.
For root accounts, the malware simply creates an autostart script as per the targeted Linux distros.
Whereas, for non-root accounts, the malware creates an autostart script for the desktop environment and modifies the .bashrc file to create the autostart script for the shell environment.
The researchers have presented a detailed technical analysis of the malware in their blog post.
RotaJakiro Resembling Torii Botnet
During their analysis, the researchers specifically observed the similarity of RotaJakiro with Torii – a botnet that also caught attention in 2018.
They noticed the similarity of commands, traffic, the use of encryption to conceal resources, traditional persistence, and other functionalities.
Currently, it remains unclear whether Torii and RotaJakiro share the same lineage. Also, the researchers haven’t exactly discovered how the malware spreads and targets devices.