Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Stealthy Linux backdoor malware spotted after three years of minding your business
The Register ^ | 29 April 2021 | Thomas Claburn

Posted on 04/30/2021 8:55:20 AM PDT by ShadowAce

Chinese security outfit Qihoo 360 Netlab on Wednesday said it has identified Linux backdoor malware that has remained undetected for a number of years.

The firm said its bot monitoring system spotted on March 25 a suspicious ELF program that interacted with four command-and-control (C2) domains over the TCP HTTPS port 443 even though the protocol used isn't actually TLS/SSL.

"A close look at the sample revealed it to be a backdoor targeting Linux X64 systems, a family that has been around for at least three years," Netlab researchers Alex Turing and Hui Wang said in an advisory.

An MD5 signature for the file systemd-daemon first showed up in VirusTotal back on May 16, 2018 without the detection of any known malware. Two other files named systemd-daemon and gvfsd-helper were spotted over the next three years.

The association with systemd, a widely used system and session manager for Linux, may have been chosen by the malware authors to make the malicious code less likely to be noticed by administrators reviewing logs and process lists.

Netlab has dubbed the malware family RotaJakiro because it uses encryption with a rotate function and has different behavior depending on whether it's running on a root or non-root account. Jakiro is a reference to a character from the game Dota 2.

The malware makes an effort to conceal itself by using multiple encryption algorithms. It relies on AES to protect its own resources and a combination of AES, XOR, and rotate encryption alongside ZLIB compression to obscure its server communication.

The C2 domains with which the malware communicates were registered through Web4Africa in December 2015 and rely on hosting provided by Deltahost PTR, in Kiev, Ukraine.

The malware is not an exploit; rather it's a payload that opens a backdoor on the targeted machine. It might be installed by an unsuspecting user, an intruder, or through a dropper Trojan. How RotaJakiro has been distributed remains unanswered.

According to Netlab, RotaJakiro supports 12 commands, including "Steal Sensitive Info," "Upload Device Info," "Deliver File/Plugin," and three "Run Plugin" variants. The security firm is presently unaware of what the malware's plugins do.

The security firm sees some similarities between RotaJakiro and the Torii botnet spotted by Avast, another security company, in September, 2018. They two have some similar commands and traffic patterns, as well as functional similarities.

At least the malware is starting to get noticed by antivirus software. ®


TOPICS: Computers/Internet
KEYWORDS: aes; alexturing; avast; c2domains; china; compression; computers; deltahostptr; dota2; elf; encryption; gvfsdhelper; huiwang; jakiro; kiev; linux; malware; md5; port443; qihoo360netlab; rotajakiro; rotatefunction; security; systemd; systemddaemon; toriibotnet; ukraine; virustotal; web4africa; xor; zlib
Navigation: use the links below to view more comments.
first 1-2021-35 next last

1 posted on 04/30/2021 8:55:20 AM PDT by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; JosephW; martin_fierro; Still Thinking; zeugma; Vinnie; ironman; Egon; raybbr; AFreeBird; ...

Thanks to dayglored for the article!

2 posted on 04/30/2021 8:55:50 AM PDT by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

I studied Oracle 9 for a year. Its platform is a form of Linux


3 posted on 04/30/2021 8:58:14 AM PDT by CharlesOConnell (CharlesOConnell)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Was written by a Chinese “Backdoor man”?................


4 posted on 04/30/2021 8:58:36 AM PDT by Red Badger (Jesus said there is no marriage in Heaven. That's why they call it Heaven.....................)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

“Chinese security outfit”

Isn’t that an oxymoron?


5 posted on 04/30/2021 8:59:58 AM PDT by Autonomous User (During times of universal deceit, telling the truth becomes a revolutionary act.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Something keeps sneaking in and stealing my desktop icons on Linux Mint Cinnamon 18.3. I have to reboot to get them back.

[That seems to be a persistent problem with several versions of Linux.]


6 posted on 04/30/2021 9:00:21 AM PDT by TomGuy
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Isn’t “A Chinese security outfit” an oxymoron?


7 posted on 04/30/2021 9:01:35 AM PDT by Yo-Yo (is the /sarc tag really necessary?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Autonomous User

Ha! Beat me by 2 minutes!


8 posted on 04/30/2021 9:02:10 AM PDT by Yo-Yo (is the /sarc tag really necessary?)
[ Post Reply | Private Reply | To 5 | View Replies]

To: ShadowAce

“a suspicious ELF program that interacted with four command-and-control (C2) domains over the TCP HTTPS port 443 even though the protocol used isn’t actually TLS/SSL.”

Anyone could’ve told them that.


9 posted on 04/30/2021 9:02:35 AM PDT by lowbridge
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Oh, yeah, everybody knows that!?!


10 posted on 04/30/2021 9:02:44 AM PDT by immadashell (New Planned Parenthood slogan: Black Babies’ Lives Don't Matter!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

A dude named “Mr. Wu”.... he was a window cleaner and then an air raid warden back in WWII. Just kidding- first came to mind.

George Formby (the Queen’s favourite morale booster in the Blitz):...”... if there’s a chink in your window, you’ll have another one at the door....” “ the girls all cover their laundry mark...” risque stuff for WWII.

https://www.youtube.com/watch?v=vnvgpeGxzak


11 posted on 04/30/2021 9:09:59 AM PDT by John S Mosby (Sic Semper Tyrannis)
[ Post Reply | Private Reply | To 4 | View Replies]

To: ShadowAce; All

Is the “backdoor” risk now closed by Linux updates? Since this came out? That is-— what is to be done? Read the details can’t figure out what a rotating trapdoor drop functionality— well, what is it. Says it is used for targeting individual machines.

Linux experts on FR— any suggestions?


12 posted on 04/30/2021 9:15:16 AM PDT by John S Mosby (Sic Semper Tyrannis)
[ Post Reply | Private Reply | To 2 | View Replies]

To: CharlesOConnell

Yup. Oracle is based off of Red Hat.


13 posted on 04/30/2021 9:15:37 AM PDT by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 3 | View Replies]

To: TomGuy

I’ve never seen that happen before.


14 posted on 04/30/2021 9:16:08 AM PDT by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 6 | View Replies]

To: ShadowAce

bookmark


15 posted on 04/30/2021 9:17:21 AM PDT by dadfly
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

According to Netlab, RotaJakiro supports 12 commands, including “Steal Sensitive Info,” “Upload Device Info,” “Deliver File/Plugin,” and three “Run Plugin” variants.

This article sounds like FUD designed to pitch security software.

For one, I seriously doubt any malware is going to have a function so obviously labeled “Steal Sensitive Info”. Secondly, what would constitute “sensitive info”?


16 posted on 04/30/2021 9:17:41 AM PDT by Flick Lives (“Today we celebrate the first glorious anniversary of the Information Purification Directives.”)
[ Post Reply | Private Reply | To 1 | View Replies]

To: John S Mosby
That is-— what is to be done?

I believe that your chosen distro maintainer(s) should be able to filter it out.

17 posted on 04/30/2021 9:18:50 AM PDT by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 12 | View Replies]

To: John S Mosby

Just so long as you don’t get a chink in your armor.................


18 posted on 04/30/2021 9:19:04 AM PDT by Red Badger (Jesus said there is no marriage in Heaven. That's why they call it Heaven.....................)
[ Post Reply | Private Reply | To 11 | View Replies]

To: TomGuy
Well, obviously someone has installed this backdoor on your system in a nefarious plot to steal your desktop icons and ultimately...CONTROL. THE. WORLD!!!!!

Or your window manager is crashing for some reason.

But it's probably definitely the first one.

19 posted on 04/30/2021 9:22:13 AM PDT by perfect_rovian_storm
[ Post Reply | Private Reply | To 6 | View Replies]

To: ShadowAce

OK- thanks will check it out on their boards, maintenance etc.


20 posted on 04/30/2021 9:22:40 AM PDT by John S Mosby (Sic Semper Tyrannis)
[ Post Reply | Private Reply | To 17 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-35 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson