The Chinese security team Qihoo 360 Netlab discovered the Linux malware RotaJakiro, which went unnoticed by VirusTotal for three years.
The backdoor was discovered in the course of analysing suspicious traffic from one of the system processes identified during the analysis of the structure of the botnet used for the DDoS attack.
Prior to this, RotaJakiro remained unnoticed for three years, in particular, the first attempts to check files with MD5 hashes in the VirusTotal service that match the detected malware were dated May 2018.
Malicious software disguises its activities using encryption and compression techniques and program names very similar to standard Linux system programs. The names of the programs are different depending on whether RotaJakiro is running on behalf of the main system administrator or a regular user.
The malware is not an exploit; rather, it is a payload that opens a backdoor on the target machine. It can be installed by an unsuspecting user, an attacker, or through a Trojan dropper.
At the moment, experts do not fully understand the mechanism of its work, but now they have discovered 12 functions, including those aimed at extracting and stealing data, managing files and plugins, as well as messaging the transfer of information about the device.
“At the coding level, RotaJakiro uses techniques such as dynamic AES, two-layer encrypted communication protocols, to counter the analysis of binary and network traffic. At the functional level, RotaJakiro first determines whether a user is root or non-root, at runtime, with different execution policies for different accounts, then decrypts the corresponding sensitive resources with AES & ROTATE to save, protect the process, and use a single instance later, and, finally establishes communication with C2 and waits for the commands issued by C2 to execute”, — Qihoo 360 Netlab experts say.