Research laboratory 360 Netlab reported the identification of new malware for Linux, codenamed RotaJakiro and including the implementation of a backdoor that allows you to control the system. The malware could have been installed by attackers after exploiting unpatched vulnerabilities in the system or guessing weak passwords.
The backdoor was discovered during the analysis of suspicious traffic from one of the system processes, identified during analysis of the structure of the botnet used for the DDoS attack. Prior to this, RotaJakiro remained undetected for three years; in particular, the first attempts to scan files with MD5 hashes matching the identified malware in the VirusTotal service were dated May 2018.
One of the features of RotaJakiro is the use of different camouflage techniques when running as an unprivileged user and root. To hide its presence, the backdoor used the process names systemd-daemon, session-dbus and gvfsd-helper, which, given the clutter of modern Linux distributions with all sorts of service processes, at first glance seemed legitimate and did not arouse suspicion.
When run with root rights, the scripts /etc/init/systemd-agent.conf and /lib/systemd/system/sys-temd-agent.service were created to activate the malware, and the malicious executable file itself was located as /bin/systemd/systemd -daemon and /usr/lib/systemd/systemd-daemon (functionality was duplicated in two files). When running as a standard user, the autostart file $HOME/.config/au-tostart/gnomehelper.desktop was used and changes were made to .bashrc, and the executable file was saved as $HOME/.gvfsd/.profile/gvfsd-helper and $HOME/ .dbus/sessions/session-dbus. Both executable files were launched simultaneously, each of which monitored the presence of the other and restored it if it terminated.
To hide the results of their activities in the backdoor, several encryption algorithms were used, for example, AES was used to encrypt their resources, and a combination of AES, XOR and ROTATE in combination with compression using ZLIB was used to hide the communication channel with the control server.
To receive control commands, the malware contacted 4 domains via network port 443 (the communication channel used its own protocol, not HTTPS and TLS). The domains (cdn.mirror-codes.net, status.sublineover.net, blog.eduelects.com and news.thaprior.net) were registered in 2015 and hosted by the Kyiv hosting provider Deltahost. 12 basic functions were integrated into the backdoor, which allowed loading and executing plugins with advanced functionality, transmitting device data, intercepting sensitive data and managing local files.
Source: opennet.ru