A Linux malware has been discovered with backdoor capabilities that have successfully stayed hidden for years. The malware allowed its operators to exfiltrate and harvest sensitive information from infected devices. The researchers from 360 Netlab, who discovered this malware, have named it RotaJakiro.
The malware
According to researchers from Qihoo 360's Network Security Research Lab, the malware remained undetected by VirusTotal's anti-malware engines, even though the first sample was uploaded in 2018.
- The Linux malware is developed to remain or operate as stealthily as possible, encrypt its communication channels with the use of ZLIB compression, and use XOR, ROTATE, or AES encryption.
- The malware does its best to prevent malware analysts from examining it. The resource information located within the sample identified by 360 Netlab's BotMon system is encrypted with the AES algorithm.
- Operators can use this malware to exfiltrate system details and sensitive data, manage plugins and files, and run various plugins on infected 64-bit Linux devices.
- The malware supports a total of 12 functions, three of which are linked to the execution of certain plugins. However, experts have no visibility of other plugins and thus, the purpose of those is unknown.
Additional samples and links with Torii botnet
Since the first RotaJakiro sample was uploaded on VirusTotal, 360 Netlab researchers have spotted four different samples until January 2021; all of them with a total of zero detections.
- The researchers found links to the Torii IoT botnet first discovered by malware expert Vesselin Bontchev and examined by Avast's Threat Intelligence Team in September 2018.
- Both the malware use the same commands after being deployed on infected systems. Additionally, similar constants and construction techniques are used by developers in both cases.
- Both malware share functional similarities, such as encryption algorithms to hide sensitive resources, persistence technique, and structured network traffic approach.
Conclusion
RotaJakiro malware had become quite sophisticated, with the ability to remain undetected for several years. This indicates how malware developers are evolving and adapting new techniques to stay hidden. Thus, there is a dire need for organizations and security professionals to keep themselves updated to stay ahead of such threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/e198_shutterstock_442094683.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/4510_shutterstock_1612683976.jpg)
