Research Lab 360 Netlab announced the identification of a new malware for Linux, codenamed RotaJakiro and that includes a backdoor implementation that allows to control the system. The attackers could have installed malicious software after exploiting unrepaired vulnerabilities in the system or guessing weak passwords.
The backdoor was discovered during the suspicious traffic analysis of one of the system processes identified during the analysis of the botnet structure used for the DDoS attack. Prior to this, RotaJakiro went unnoticed for three years, in particular, the first attempts to verify files with MD5 hashes on the VirusTotal service that match detected malware date back to May 2018.
We named it RotaJakiro based on the fact that the family uses rotary encryption and behaves differently from root / non-root accounts when running.
RotaJakiro pays a lot of attention to hide its traces, using multiple encryption algorithms, including: the use of the AES algorithm to encrypt the resource information within the sample; C2 communication using a combination of AES, XOR, ROTATE encryption, and ZLIB compression.
One of the characteristics of RotaJakiro is the use of different masking techniques when run as unprivileged user and root. To hide your presence, the malware used the process names systemd-daemon, session-dbus, and gvfsd-helper, which, given the clutter of modern Linux distributions with all sorts of service processes, seemed legitimate at first glance and did not arouse suspicion.
RotaJakiro uses techniques such as dynamic AES, double-layer encrypted communication protocols to counter binary and network traffic analysis.
RotaJakiro first determines whether the user is root or non-root at runtime, with different execution policies for different accounts, then decrypts the relevant sensitive resources.
When run as root, the systemd-agent.conf and sys-temd-agent.service scripts were created to activate the malware and the malicious executable was located within the following paths: / bin / systemd / systemd -daemon and / usr / lib / systemd / systemd-daemon (functionality duplicated in two files).
While when run as a normal user the autorun file was used $ HOME / .config / au-tostart / gnomehelper.desktop and changes were made to .bashrc, and the executable file was saved as $ HOME / .gvfsd / .profile / gvfsd-helper and $ HOME / .dbus / sessions / session -dbus. Both executable files were launched at the same time, each of which monitored the presence of the other and restored it in the event of a shutdown.
RotaJakiro supports a total of 12 functions, three of which are related to the execution of specific plugins. Unfortunately, we do not have visibility of the plugins and therefore we do not know their true purpose. From a broad hatchback perspective, features can be grouped into the following four categories.
Report device information
Steal sensitive information
File / plugin management (check, download, delete)
Running a specific plugin
To hide the results of its activities on the backdoor, various encryption algorithms were used, for example, AES was used to encrypt its resources and to hide the communication channel with the control server, in addition to the use of AES, XOR and ROTATE in combination with compression using ZLIB. To receive control commands, the malware accessed 4 domains through network port 443 (the communication channel used its own protocol, not HTTPS and TLS).
The domains (cdn.mirror-codes.net, status.sublineover.net, blog.eduelects.com, and news.thaprior.net) were registered in 2015 and hosted by the Kiev hosting provider Deltahost. 12 basic functions were integrated into the back door, allowing you to load and run add-ons with advanced functionality, transfer device data, intercept confidential data, and manage local files.
From a reverse engineering perspective, RotaJakiro and Torii share similar styles: the use of encryption algorithms to hide sensitive resources, the implementation of a rather old-fashioned persistence style, structured network traffic, etc.
Finally if you are interested in learning more about the research made by 360 Netlab, you can check the details by going to the following link.