Severity
High
Analysis Summary
Previously undocumented and stealthy Linux malware named RotaJakiro has been discovered targeting Linux X64 systems. It has been undetected for at least three years, and operates as a backdoor. Four samples have now been discovered, all using the same C2s. The family uses rotate encryption and behaves differently for root/non-root accounts when executing. The malware supports 12 functions, three of which involve specific plug-ins that are downloaded from the C2s. The researchers have not managed to access any of the plug-ins, so cannot comment on their purpose. However, the functions built into the malware can be categorized as collecting device information, stealing sensitive information, and managing the plug-ins. The researchers do not yet know how the malware spreads or is delivered.
All discovered C2s were registered in December 2015, suggesting the malware is possibly older than the confirmed three years. The stealthy nature of the malware is partly down to its rotation through various encryption algorithms while communicating with its C2 servers, using techniques such as dynamic AES, double-layer encrypted communication protocols to counteract the binary & network traffic analysis. There are two stages to its C2 communication. The initial phase decrypts the C2 list, establishes a connection with the C2, encrypts and sends the online information, and receives and decrypts the information returned by the C2. The second stage is to verify the information received from the C2, and then, if verified, to execute any commands received. Persistence and process guarding are handled differently for infected root and non-root accounts. For process guarding on root accounts, a new process is automatically created when the service process is terminated. On non-root accounts, the malware generates two processes that monitor each other. If one is terminated, the other restores it.
Impact
- Theft of Sensitive Information
- Data Exfiltration
- Code Execution
- Security Bypass
Indicators of Compromise
Hostname
- status[.]sublineover[.]net
- news[.]thaprior[.]net
- cdn[.]mirror-codes[.]net
- blog[.]eduelects[.]com
MD5
- 1d45cd2c1283f927940c099b8fab593b
- 5c0f375e92f551e8f2321b141c15c48f
- 64f6cfe44ba08b0babdd3904233c4857
- 11ad1e9b74b144d564825d65d7fb37d6
SHA-256
- a18bec90b2b6185362eeb67c516c82dd34cd8f6a7423875921572e97ae1668b0
- d38e8f113c36cfa9e05c4d0d6b526d81b69039430c3b1fc64a08a3445b5a5abe
- af2a2be20d7bbec0a9bb4a4dfa898aa18ef4994a9791d7cf37b7b62b379992ac
- 0958e1f4c3d14e4de380bda4c5648ab4fa4459ef8f5daaf32bb5f3420217af32
SHA1
- 7c6665aaba3b7da391ca8a6dd152bd32fafbad88
- 5fd40cbdcd05e03af7af80d94460924294abd09b
- 9a055755d34631b5800729582f3febb4ddecb6d5
- 184355d786a021e0b7297ec20b339be0fac944df
Source IP
- 176[.]107[.]176[.]16
URL
- http[:]//status[.]sublineover[.]net[:]443
- http[:]//news[.]thaprior[.]net[:]443
- http[:]//cdn[.]mirror-codes[.]net[:]443
- http[:]//blog[.]eduelects[.]com[:]443
Remediation
- Block the threat indicators at their respective controls.
- Do not download untrusted files from unexpected emails or from any untrusted source on the internet.
- As a vector is not known, observe best practices for internet safety.
- Enable multi-factor authentication where possible.
- Observe overall cybersecurity measures to avoid falling victim to cyber attacks.