Previously undocumented and stealthy Linux malware named RotaJakiro has been discovered targeting Linux X64 systems. It has been undetected for at least three years, and operates as a backdoor.
Four samples have now been discovered, all using the same C2s. The earliest was discovered in 2018. None of the samples were labeled malware by VirusTotal.
The discovery was made by researchers at Chinese security firm Qihoo 360 NETLAB after their BotMon system flagged a suspicious ELF file. Investigation revealed the backdoor malware they named RotaJakiro, because, say the researchers, "the family uses rotate encryption and behaves differently for root/non-root accounts when executing."
The malware supports 12 functions, three of which involve specific plug-ins that are downloaded from the C2s. The researchers have not managed to access any of the plug-ins, so cannot comment on their purpose. However, the functions built into the malware can be categorized as collecting device information, stealing sensitive information, and managing the plug-ins. The researchers do not yet know how the malware spreads or is delivered.
Each of the four samples found have the same four C2s embedded. These are news(.)thaprior(.)net, blog(.)eduelects.com, cdn(.)mirror-codes(.)net, and status.sublineover.net. All of them were registered in December 2015, suggesting the malware is possibly older than the confirmed three years.
The stealthy nature of the malware is partly down to its rotation through various encryption algorithms while communicating with its C2 servers. "At the coding level," say the researchers, RotaJakiro uses techniques such as dynamic AES, double-layer encrypted communication protocols to counteract the binary & network traffic analysis."
(Emphasis in original retained.)
The above-linked blog entry goes into considerable detail of how the malware functions. It also makes a connection to the previously-found Torii botnet which was exposed by Avast on September 20, 2018