Researchers have discovered a Linux backdoor malware called RotaJakiro, which has managed to stay under the radar for about three years, allowing threat actors to run a protracted data-harvesting operation.
The malware was named after the encryption rote it follows when executed: root/non-root accounts.
While early versions of the malware were uploaded on VirusTotal as early as May 2018, the findings come following an analysis of a malware sample detected on March 25, 2021.
A total of four RotaJakiro samples have been found so far, all of which have a low detection rate, with just seven antivirus engines flagging the threat as malicious.
Researchers at Qihoo 360 NETLAB, who discovered the threat, say that RotaJakiro is designed with stealth in mind, as it uses multiple encryption algorithms, including AES, XOR, and ROTATE, as well as ZLIB compression.
RotaJakiro Malware Capabilities
The malware exhibits obvious backdoor capabilities, as its functions being tasked to gather data from the target device, steal sensitive information, execute file-related operations, and download and launch plugins from a command and control server (C&C).
Researchers are still unsure about the true intent behind this malware because 3 out of RotaJakiro’s 12 functions cannot be currently analyzed. NETLAB said these three malware functions are related to the execution of plugins, which are not available for analysis.
“Unfortunately, we have no visibility to the plugins, and therefore do not know its [RotaJakiro’s] true purpose,” Alex Turing and Hui Wang, researchers at NETLAB, wrote in a blog post.
However, researchers discovered the malware uses some C&C domains that date from 2015 and observed some code overlaps between RotaJakiro and a botnet called Torii, suggesting that RotaJakiro and Torii are connected.
Leave a Reply
Thank you for your response.
Please verify that you are not a robot.