China’s security firm Qihoo 360 Netlab said Wednesday that they have identified Linux backdoor malware that has remained undetected for years.
The firm said its bot tracking system detected on March 25 a suspicious ELF program that communicated with four command-and-control (C2) domains on TCP HTTPS port 443 even when used that protocol is not really TLS / SSL.
“A closer look at the sample revealed that it was a backdoor targeting Linux X64 systems, a family that has been around for at least three years,” Netlab researchers Alex Turing and Hui Wang said on an advice.
An MD5 signature for the file
systemd-daemon first appeared on VirusTotal on May 16, 2018 without detecting any known malware. Two other files named
gvfsd-helper was seen over the next three years.
The association with systemd, a widely used system and session manager for Linux, may have been chosen by malware authors to make administrators more likely to notice process logs and list logs.
Netlab called the malware family RotaJakiro because it uses encryption with a rotate function and has different behavior depending on whether it runs on a root or non-root account. Jakiro is a reference to a character from the game Dota 2.
China broke government, defense, financial networks by zero-day on Pulse Secure VPN gateways? Not allowed
The malware tries to hide itself by using many encrypted algorithms. It relies on AES to protect its own resources and a combination of AES, XOR, and rotate encryption alongside ZLIB compression to hide its server communication.
The C2 domains where the malware communicates were registered by Web4Africa in December 2015 and rely on hosting provided by Deltahost PTR, in Kiev, Ukraine.
Malware is not an exploitation; instead it is a payload that opens a backdoor to the targeted machine. It can be installed by an unsuspecting user, an intruder, or via a Trojan dropper. How RotaJakiro is distributed remains unanswered.
According to Netlab, RotaJakiro supports 12 commands, including “Steal Sensitive Info,” “Upload Device Info,” “Deliver File / Plugin,” and three “Run Plugin” variants. The security firm is currently unaware of what malware plugins do.
The security firm sees some similarities between RotaJakiro and the Torii botnet seen by Avast, another security company, in September, 2018. They both have some similar commands and traffic patterns, as well as uniformity in performance.
At least the malware is it’s starting to be noticed by antivirus software. ®