Researchers have discovered Linux malware that has existed for many years

Recently, researchers discovered that Linux malware with a backdoor function has existed for many years and has not been known. Using this malware allows attackers to obtain and transmit sensitive information from the device being attacked.

The malware is called RotaJakiro by researchers at Qihoo 360 Netlab team. Although a sample was uploaded for the first time in 2018, it has not yet been detected by the VirusTotal anti-malware engine.

RotaJakiro is designed to operate as concealed as possible, using ZLIB compression and AES, XOR, ROTATE encryption methods to encrypt its communication channels. In addition, it tried its best to prevent malware analysts from analyzing it, because 360 ​​Netlab’s BotMon system found that the resource information in the sample was also encrypted using the AES algorithm.

The researcher said:

“At the coding level, RotaJakiro uses techniques such as dynamic AES, double-layer encrypted communication protocols to counteract the binary & network traffic analysis.

At the functional level, RotaJakiro first determines whether the user is root or non-root at run time, with different execution policies for different accounts, then decrypts the relevant sensitive resources using AES & ROTATE for subsequent persistence, process guarding and single instance use, and finally establishes communication with C2 and waits for the execution of commands issued by C2.”

Attackers can use RotaJakiro to steal system information and sensitive data, manage plugins and files, and execute various plugins on the attacked 64-bit Linux device. However, due to the lack of visibility when it comes to plug-ins deployed on the infected system, the researchers have not yet discovered the true intentions of the malware creators with their malicious tools. “RotaJakiro supports a total of 12 functions, three of which are related to the execution of specific Plugins.”

Since the first RotaJakiro sample landed on VirusTotal in 2018, researchers found that four different samples were uploaded between May 2018 and January 2021, and the detection rate of all these samples was zero.