Posted on 04/30/2021 8:55:20 AM PDT by ShadowAce
Chinese security outfit Qihoo 360 Netlab on Wednesday said it has identified Linux backdoor malware that has remained undetected for a number of years.
The firm said its bot monitoring system spotted on March 25 a suspicious ELF program that interacted with four command-and-control (C2) domains over the TCP HTTPS port 443 even though the protocol used isn't actually TLS/SSL.
"A close look at the sample revealed it to be a backdoor targeting Linux X64 systems, a family that has been around for at least three years," Netlab researchers Alex Turing and Hui Wang said in an advisory.
An MD5 signature for the file systemd-daemon first showed up in VirusTotal back on May 16, 2018 without the detection of any known malware. Two other files named systemd-daemon and gvfsd-helper were spotted over the next three years.
The association with systemd, a widely used system and session manager for Linux, may have been chosen by the malware authors to make the malicious code less likely to be noticed by administrators reviewing logs and process lists.
Netlab has dubbed the malware family RotaJakiro because it uses encryption with a rotate function and has different behavior depending on whether it's running on a root or non-root account. Jakiro is a reference to a character from the game Dota 2.
The malware makes an effort to conceal itself by using multiple encryption algorithms. It relies on AES to protect its own resources and a combination of AES, XOR, and rotate encryption alongside ZLIB compression to obscure its server communication.
The C2 domains with which the malware communicates were registered through Web4Africa in December 2015 and rely on hosting provided by Deltahost PTR, in Kiev, Ukraine.
The malware is not an exploit; rather it's a payload that opens a backdoor on the targeted machine. It might be installed by an unsuspecting user, an intruder, or through a dropper Trojan. How RotaJakiro has been distributed remains unanswered.
According to Netlab, RotaJakiro supports 12 commands, including "Steal Sensitive Info," "Upload Device Info," "Deliver File/Plugin," and three "Run Plugin" variants. The security firm is presently unaware of what the malware's plugins do.
The security firm sees some similarities between RotaJakiro and the Torii botnet spotted by Avast, another security company, in September, 2018. They two have some similar commands and traffic patterns, as well as functional similarities.
At least the malware is starting to get noticed by antivirus software. ®
GMTA! LOL
Yeah-— heh, heh— look how many chinks we have in the armor in the US. Need an update on the “fibbies” and chinks at the DOJ raiding Giuliani over whether he acted as a foreign agent— all the while knowing he was “seconded” to William Barr and assigned to him by the President of the US. Trump. All very much within the law.
JoeBama is all about being a paid “chink in the armor” Why else did he go see jimmah “japan” cahtah yesterday— to compare their backline of drool and slobber money, and influence. Worried as they should be. Too late for wonder boy jimmah mr. peanut.
thanks for the laugh!
ICWYDT
Any reason you have not upgraded to Mint v20.1?
That might help.
.
How to detect this and how to remove it?
I still have mint 17 on mine and NEVER have any problems.
Why upgrade?
It does everything I want to do.
Nuff said?!
18.3 reached End of Life this month:
https://blog.linuxmint.com/?p=4054
I'm not sure if upgrading to Mint 20.1 provides protection against RotaJakiro.
Still, gotta love the punchline:
According to Netlab, RotaJakiro supports 12 commands, including "Steal Sensitive Info," "Upload Device Info," "Deliver File/Plugin," and three "Run Plugin" variants. The security firm is presently unaware of what the malware's plugins do.
"The men don't know but the little girls understand" - h/t Doors
https://www.youtube.com/watch?v=cmuINaunol0
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
