Previously undocumented and stealthy Linux malware named RotaJakiro has been discovered targeting Linux X64 systems. It has been undetected for at least three years, and operates as a backdoor.
Four samples have now been discovered, all using the same C2s. The earliest was discovered in 2018. None of the samples were labeled malware by VirusTotal.
The discovery was made by researchers at Chinese security firm Qihoo 360 NETLAB after their BotMon system flagged a suspicious ELF file. Investigation revealed the backdoor malware they named RotaJakiro, because, say the researchers, “the family uses rotate encryption and behaves differently for root/non-root accounts when executing.”
The malware supports 12 functions, three of which involve specific plug-ins that are downloaded from the C2s. The researchers have not managed to access any of the plug-ins, so cannot comment on their purpose. However, the functions built into the malware can be categorized as collecting device information, stealing sensitive information, and managing the plug-ins. The researchers do not yet know how the malware spreads or is delivered.
Each of the four samples found have the same four C2s embedded. These are news(.)thaprior(.)net, blog(.)eduelects.com, cdn(.)mirror-codes(.)net, and status.sublineover.net. All of them were registered in December 2015, suggesting the malware is possibly older than the confirmed three years.
The stealthy nature of the malware is partly down to its rotation through various encryption algorithms while communicating with its C2 servers. “At the coding level,” say the researchers, RotaJakiro uses techniques such as dynamic AES, double-layer encrypted communication protocols to counteract the binary & network traffic analysis.”
There are two stages to its C2 communication. The initial phase decrypts the C2 list, establishes a connection with the C2, encrypts and sends the online information, and receives and decrypts the information returned by the C2.
The second stage is to verify the information received from the C2, and then ‒ if verified ‒ to execute any commands received.
Persistence and process guarding are handled differently for infected root and non-root accounts. For process guarding on root accounts, a new process is automatically created when the service process is terminated. On non-root accounts, the malware generates two processes that monitor each other. If one is terminated, the other restores it.
It isn’t yet clear whether the malware is designed for a specific category of target, nor what the long-term intention might be. However, the ability to download multiple plug-ins means that its potential for malicious activity should not be underestimated.
The researchers note that there are internal similarities between RotaJakiro and the Torii IoT botnet discovered by Avast in 2018. Torii is a full-fledged bot. The second stage can execute commands from the C2 server, while the malware also includes simple anti-debugging techniques, data exfiltration, multi-level encryption of communication, and other capabilities.
“Even though our investigation is continuing,” said Avast at the time, “Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before. Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the C&C, but by communicating with the C&C, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use,” Avast concludes.
Related: China-Linked Hackers Systematically Targeted Linux Servers for Years
Related: Privilege Escalation Bugs Patched in Linux Kernel

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
More from Kevin Townsend
- UK Introduces Mass Surveillance With Online Safety Bill
- Blockchain Security Firm True I/O Raises $9 Million
- Most Weaponized Vulnerabilities of 2022 and 5 Key Risks: Report
- QuSecure and Accenture Test Multi-Orbit Communications Link Using Post-Quantum Cryptography
- SecurityScorecard Guarantees Accuracy of Its Security Ratings
- Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy
- Burnout in Cybersecurity – Can It Be Prevented?
- Verosint Launches Account Fraud Detection and Prevention Platform
Latest News
- Italy Temporarily Blocks ChatGPT Over Privacy Concerns
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Report: Chinese State-Sponsored Hacking Group Highly Active
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
