Stealthy Linux backdoor malware spotted after three years of minding your business

Chinese security outfit Qihoo 360 Netlab on Wednesday said it has identified Linux backdoor malware that has remained undetected for a number of years.

The firm said its bot monitoring system spotted on March 25 a suspicious ELF program that interacted with four command-and-control (C2) domains over the TCP HTTPS port 443 even though the protocol used isn’t actually TLS/SSL.

“A close look at the sample revealed it to be a backdoor targeting Linux X64 systems, a family that has been around for at least three years,” Netlab researchers Alex Turing and Hui Wang said in an advisory.

An MD5 signature for the file systemd-daemon first showed up in VirusTotal back on May 16, 2018 without the detection of any known malware. Two other files named systemd-daemon and gvfsd-helper were spotted over the next three years.

The association with systemd, a widely used system and session manager for Linux, may have been chosen by the malware authors to make the malicious code less likely to be noticed by administrators reviewing logs and process lists.

Netlab has dubbed the malware family RotaJakiro because it uses encryption with a rotate function and has different behavior depending on whether it’s running on a root or non-root account. Jakiro is a reference to a character from the game Dota 2.

Illustration of the Chinese flag with binary and code and a skull outline laid over the top

China broke into govt, defense, finance networks via zero-day in Pulse Secure VPN gateways? No way

READ MORE

The malware makes an effort to conceal itself by using multiple encryption algorithms. It relies on AES to protect its own resources and a combination of AES, XOR, and rotate encryption alongside ZLIB compression to obscure its server communication.

The C2 domains with which the malware communicates were registered through Web4Africa in December 2015 and rely on hosting provided by Deltahost PTR, in Kiev, Ukraine.

The malware is not an exploit; rather it’s a payload that opens a backdoor on the targeted machine. It might be installed by an unsuspecting user, an intruder, or through a dropper Trojan. How RotaJakiro has been distributed remains unanswered.

According to Netlab, RotaJakiro supports 12 commands, including “Steal Sensitive Info,” “Upload Device Info,” “Deliver File/Plugin,” and three “Run Plugin” variants. The security firm is presently unaware of what the malware’s plugins do.

The security firm sees some similarities between RotaJakiro and the Torii botnet spotted by Avast, another security company, in September, 2018. They two have some similar commands and traffic patterns, as well as functional similarities.

At least the malware is starting to get noticed by antivirus software. ®

READ MORE HERE