RotaJakiro Linux Malware Evaded Detection for Years

RotaJakiro Linux Malware Evaded Detection for Years

Linux Malware Was Hiding In Plain Sight

RotaJakiro is a newly discovered malware affecting Linux endpoints and servers. The Rotajakiro binary has remained undetected and active on endpoints and servers since at least 2018, which was when the RotaJakiro binary files were first uploaded to VirusTotal as part of a routine scan. The files came back clean.

360 Netlab, part of Qihoo, released a statement that they had discovered a new form of 64-bit Linux specific malware which matches the signature of the files uploaded to VirusTotal 4 years ago. RotaJakiro was so good at hiding its tracks that the researchers who discovered the malware do not yet fully understand the purpose of the malware.

How is this possible? RotaJakiro has been so good at staying under the radar is because of its encryption. Virus scanners know how to determine that a process is malicious by tracing the types of communications which the software use to perform its programming.

RotaJakiro uses a layering of AES, ROTATE, XOR, and ZLIB algorithms to encrypt and compress it’s communications so that anti-malware suites do not detect the malware’s communications as malicious.

About the Linux Systems Backdoor

It was not until the researchers at 360 Netlab discovered a suspicious ELF (The standard Linix binary executable format) file with an unknown purpose that the malware was discovered. After further review, the researchers determined that this ELF file was producing communications which were being sent to 4 remote domains over a HTTPS port connection.

The exact communication protocol used by RotaJakiro is new to the IT security community. RotaJakiro uses a layered combination of AES, ROTATE, XOR, and ZLIB encryption/compression to hide the information which it exfiltrates off of the unsuspecting user’s computer.

Malware Initialization

At this point, it is unclear how the RotaJakiro payload becomes imbedded in a Linux environment, but once the malware payload is delivered, it gains persistence on an endpoint using different mechanisms, depending on root (Administrator) permission eligibility of the account which initialized the payload.

For root accounts, RotaJakiro imbeds itself into the system initialization process and informs the operating system to run the RotaJakiro process as part of the boot sequence once the device has connected to a network. For non-root users, the malware executes itself on user login by integrating itself into the user’s local configuration file.

Malware Purpose

Currently, little is known about the intended purpose of RotaJakiro. While the researchers behind the discovery of RotaJakiro believe this is a new communications algorithm and malware, they do suspect it to be related to another more well-established Botnet named Torii. After partially reverse engineering RotaJakiro, the researchers discovered that RotaJakiro uses many of the same implementations as Torii. This implies that the authors of Torii are also likely at least partially responsible for the creation of RotaJakiro. Unfortunately, Torii also does not contain a standard payload.

Most malware tools have a well-defined purpose, whether that be DDOS attacks, Crypto-Currency mining, or encrypting an endpoint as a form of ransomware. Torii and RotaJakiro do not have any of these standard malware payloads. Instead, they simply send device info and an unknown set of device side data to 4 distinct offsite servers in a process called data exfiltration.

Because RotaJakiro’s communications are so thoroughly encrypted, it is hard to nail down what information the malware is exfiltrating.

What We Know About RotaJakiro

RotaJakiro is able to both directly exfiltrate data, as well as deploy additional payloads to the endpoint in the form of plugins for other parts of the operating system. Because of these unknown plugins, the discovery of the RotaJakiro malware on an endpoint is firm grounds for the complete rebuild of the affected machine.

Even after the RotaJakiro executable has been removed from the endpoint, the device may continue to provide sensitive information to the creators of RotaJakiro through a currently unknown vector. RotaJakiro is silent to the end user and does not affect system performance.

The best way to determine if the endpoint has been infected by RotaJakiro is by scanning endpoint filesystems for the files associated with the RotaJakiro malware. This can be done manually, or with most up to date anti-malware suites.

Detecting RotaJakiro

Finding RotaJakiro on an endpoint is trivial now that researchers know where to look. There are currently 4 known file locations for the Malware:




Below are the contents of a basic bash script which can be deployed to an endpoint to look for those binary files. If the script outputs “Something Found” then your system has likely been infected by the malware:


files=(‘/bin/systemd/systemd-daemon’ ‘/usr/lib/systemd/systemd-daemon’ ‘/home/*/.dbus/sessions/session-dbus’ ‘/home/*/.gvfsd/.profile/gvfsd-helper’)

for i in “${files}”;
echo $i
if ;
echo $i
echo ‘something found’
exit 1
echo ‘nothing found’
exit 0

How to Combat RotaJakiro

Syxsense Secure includes our automation framework, Syxsense Cortex. With the use of Syxsense Cortex and the script above, every Linux endpoint on your network can be scanned for RotaJakiro on a regular basis. If the script triggers on any of the Linux endpoints in your environment, it will trigger a series of automated tasks. These tasks are configurable by your IT team through the Syxsense Cortex console and can be set up to meet your organization’s security incident policy.

Below is an example of what a RotaJakiro automated response might look like in Syxsense Cortex.First, the local Syxsesce micro-agent runs a scan for RotaJakiro binaries on the linux endpoint. If the scan returns no results, an email confirming the scan is sent to the security team and any related alerts on the endpoint are closed.

If the scan returns a positive result on the malware detection, a very different email gets sent to the security team. Then an incident is opened. The next time a user logs into the Syxsense console, they will be immediately prompted with information about the affected endpoint.

Finally, the endpoint is shutdown so that no further data can be exfiltrated by RotaJakiro. After this point, disaster recovery controls will need to be initiated.

Start a free trial to see how Syxsense Cortex can help you defend against RotaJakiro and other complex malware systems.

Start Your Free Trial of Syxsense

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.