RotaJakiro Trojan

Cybersecurity researchers have brought to light a malware threat that was capable of remaining hidden and performing its nefarious activities for years. Named the RotaJakiro Trojan, the threat is designed to infect Linux systems where it then established a backdoor mechanism. The threat actor can command the threatening tool to harvest and then exfiltrate sensitive private data from compromised systems. RotaJackiro also can manage and execute plugins and files.

RotaJakiro achieved its impressive stealth capabilities by employing numerous avoidance-detection and anti-analysis techniques. The threat goes to great efforts to hide both its network communication and resource information. The traffic passing through the threat's communication channels is first compressed using ZLIB, and then scrambled with AES, XOR, ROTATE encryption. AES encryption also is used to protect RotaJakiro's resources.

RotaJakiro's Funtionality

After being established onto the targeted Linux system, RotaJakiro's first action at run time is to determine whether the user has root access. Depending on the outcome, the threat activates and executes different policies. Using AES ROTATE, RotaJakiro then decrypts the resources it needs for creating its persistence mechanism and guarding its processes. Only afterward does the threat attempt to communicate with its Command-and-Control (C2, C&C) servers.

So far the true purpose of the cybercriminals responsible for deploying RotaJakiro has not been uncovered successfully. The main hurdle is the lack of insight into the plugins executed by the threat. Analysts from the Qihoo 360's Network Security Research Lab (360 Netlab) have cataloged 12 different functions performed by RotaJakiro, with three of them related to running specific Plugins.

Similarities with Other Malware

The characteristics of RotaJakiro show that the threat shares significant overlaps with the Torii IoT (Internet of Things) botnet. Torii was first observed by the security expert Vesselin Bontchev and analyzed by Avast's Threat Intelligence Team in September 2018. Although different targets, both malware strains employ the same commands on the infected systems while also exhibiting similar construction methods and code constants.

Both RotaJakiro and Torii rely on encryption algorithms to protect themselves from security researchers digging into their code and resources. Furthermore, the persistence mechanisms and the way the threats structure their network traffic show additional links between the two malware strains.