Linux Malware targets IoT devices since 2018?

A 3 year old piece of Linux-specific malware has avoided widespread detection until just a few days ago. Dubbed RotaJakiro by the team that discovered it, Qihoo 360 Netlab, the malware has been targeting 64-bit Linux systems since 2018.

On March 25th, RotaJakiro was detected when one of Netlab's botnet tracking tools (called BotMon) flagged a file as suspicious.

There had been no reported detections on VirusTotal for the specific file--despite four separate samples having been submitted. Two of them in 2018, one in 2020, and another this year.

RotaJakiro seems to use rather sophisticated encryption techniques to avoid detection. Firstly, it uses zlib compression and combines that with both AES and XOR encryption. It also rotates keys quite frequently to obfuscate its communication with its Command & Control (or C2) server.

While Netlab and other reserachers are still studying RotaJarkiro, the team says they're still not sure what the true purpose of the malware is beyond compromising Linux systems.

After reverse engineering the malware, researchers found 12 built in functions that the application was capable of including exfiltrating data, plugin management, file handling, and device specification reporting.

Even though we have some insight into the app, the team says there's a quote "lack of visibility" into the plugin system.

Netlab described the malware thusly:

"At the coding level, RotaJakiro uses techniques such as dynamic AES, double-layer encrypted communication protocols to counteract the binary & network traffic analysis.At the functional level, RotaJakiro first determines whether the user is root or non-root at run time, with different execution policies for different accounts, then decrypts the relevant sensitive resources using AES & ROTATE for subsequent persistence, process guarding and single instance use, and finally establishes communication with C2 and waits for the execution of commands issued by C2."

It also behaves differently based on its privileges. In non-root scenarios, it will spawn two different processed which allows them to launch each other if one is closed. In a root context, the malware will write itself into configuration files.

The researchers have speculated that this malware might be part of an IoT botnet called Torii which basically weaponizes insecure internet of things devices--like your crockpot that inexplicably connects to your wifi.

But that's all we've got to go on at this point. I'd love to know what you think.

https://www.zdnet.com/article/rotajakiro-a-linux-backdoor-that-has-flown-under-the-radar-for-years/