Security researchers have discovered a crafty piece of malware written for Linux, but finding it after three years in the wild is just “the tip of the iceberg,” they say. Its purpose remains a mystery.
At least it now has an identity. Researchers at Qihoo 360 Netlab (via Bleeping Computer) are calling it RotaJakiro, named after a mashing of its characteristics—it uses rotating encryption keys, and is a two-headed beast of sorts, in that it executes different code for root and non-root accounts.
Staying hidden for so long is a result of RotaJakiro employing a combination of ZLIB compression and several different encryption algorithms. Dating back to 2018, at least four RotaJakiro samples have been uploaded to VirusTotal, a website that scans files with over 60 antivirus engines. The most recent upload occurred in January of this year.
The collection of antivirus engines returned a clean bill of health in each instance, leading the Qihoo 360 Netlab security team to wonder if there are more samples out there. That is not the only mystery, though.
“The real work is far from over, and many questions remain unanswered: How did RotaJakiro spread, and what was its purpose? Does RotaJakiro have a specific target? We would love to know if the community has relevant leads,” the security team stated in a blog post.
What the researchers do know is that RotaJakiro supports a dozen functions. Three of them are related to plugins, but for what purpose is not yet clear. It is capable of creating a backdoor into infected 64-bit Linux machines, which in theory could allow an attacker to steal sensitive information.
Researchers also observed a few shared characteristics with the Torii botnet that was discovered by Avast in 2018, leading them to wonder if there is some sort of connection between the two.
“From the perspective of reverse engineering, RotaJakiro and Torii share similar styles: the use of encryption algorithms to hide sensitive resources, the implementation of a rather old-school style of persistence, structured network traffic, etc. We don’t exactly know the answer, but it seems that RotaJakiro and Torii have some connections,” the researchers said.
Whatever the intent, its days of hiding in plain sight are over, with this discovery. At least four AV engines at VirusTotal now detect the malware, and we imagine it won’t be long before dozens of others catch up.