Rotajakiro – new malware for Linux, masking under SYSTEMD process

Research Laboratory 360 NetLab reported About identifying a new malicious software for Linux, which received the code name Rotajakiro and includes the sale of backdoor, allowing to manage the system. Malicious software could have been established by attackers after the operation of deactive vulnerabilities in the system or selection of unreliable passwords.

BACKDOR was detected during the analysis of suspicious traffic from one of the system processes detected in the analysis of the structures of the botnet used for the DDoS attack. Before that, Rotajakiro remained unnoticed for three years, in particular, the first attempts to check in the Virustotal file service with MD5-hash, coinciding with the identified malware, dated May 2018.

From the features of Rotajakiro, it is called the use of various masking techniques when starting with the rights of an unprivileged user and root. To hide your presence, the backdoor used the names of the processes of SystemD-Daemon, Session-DBUS and GVFSD-Helper, which, taking into account the jet of modern Linux distributions with all sorts of service processes, at first glance, seemed legitimate and did not cause suspicions.

When starting with ROOT rights to activate malware, scripts /etc/init/systemd-agent.conf and /lib/systemd-agent.conf and /lib/systemd/system/sys-temd-agent.service, and the malicious executable file was posted as / bin / SystemD / SystemD-Daemon and / USR / LIB / SystemD / SystemD-Daemon (functionality is duplicated in two files).
When executed with the rights of a regular user, an autorun file was used $ home / .config / au-tostart / gnomehelper.desktop and changed in .bashrc, and the executable file was saved as $ home / .gvfsd / .profile / GVFSD-HELPER and $ HOME / .dbus / sessions / session-dbus. At the same time, both executable files were launched, each of which followed the presence of the other and restored it in case of completion.

To hide the results of its activities in the backdore, several encryption algorithms were used, for example, AES was used to encrypt their resources, and to hide communication channel with the control server, a bunch of AES, XOR and ROTATE combined with compression using ZLIB.

To obtain the control commands, malware has appealed to 4 domains via the network port 443 (its protocol is used in the communication channel, not HTTPS and TLS). Domains (cdn.mirror-codes.net, status.sublineover.net, blog.eduelects.com and news.thaprior.net) were registered in 2015 and posted Kiev hosting provider Deltahost. The backdoor were integrated 12 basic functions that allowed to download and perform plugins with extended functionality, transmit data on the device, intercept confidential data and manage local files.

/Media reports.