New Hidden Malware for Linux: a Hidden Backdoor for Years

New Hidden Malware for Linux

It has long been claimed that Linux was invulnerable, that it had no security flaws, and that there were no viruses for these systems. Far from reality, Linux is an operating system that is just as exposed as Windows or macOS, with the difference that, being a minority, there are fewer threats to it as it is less profitable. In addition to the many threats that exist today for this operating system, there are also other old threats that have been going unnoticed for a long time. And one of the last to appear has been RotaJakiro .

Just this week, a group of security researchers from 360 Netlab detected a backdoor-type Trojan for Linux that had been circulating on the Internet for years and went completely unnoticed. This Trojan first appeared on VirusTotal in 2018. And to this day, it continues to evade detection by half of the antivirus engines on this platform. In total, 4 different variants have been detected and analyzed, and all of them with zero detections.

RotaJakiro malware

The remote control server has been registered since 2015 , so it is believed that the first samples of this malware have been circulating since then.

RotaJakiro: the Trojan that has been on Linux for more than 3 years

One of the characteristics of this Trojan is that it has been programmed from scratch to be as silent as possible. To prevent communication with the control center from being detected, the Linux malware encrypts all communication . To do this, it uses AES, XOR and ROTATE algorithms, and compresses the connections using ZLIB. For this reason, the security systems have not been able to detect suspicions in its activity, and, since it runs at a low level, it has not raised suspicions while it was running.

The first thing this Trojan did when infecting the PC was to check if the user was root or not root. Thus, depending on the type of account where it is run, some or other tasks will be carried out to be extracted without being detected and made persistent in the system. Once ready, it established a connection with the control server, and was waiting for instructions. The server has an IP from Ukraine , so the malware could be coming from there.

The main purpose of this malware was to collect and steal all kinds of sensitive information from compromised PCs. It could also extend its functions by using plugins. However, security researchers have not yet been able to discover what these were and to what extent they managed to take control of the pirted infected systems. In addition, a relationship has been found with the Torii botnet, one of the largest networks of zombie IoT devices that has been in operation since 2018.

How to protect Linux from this malware

The origin of RotaJakiro is not yet very clear. It is not known if it is a global malware that attacks all Linux users, or it is a threat designed to attack strategic companies. Therefore, it is not known if it arrives through spam, through vulnerabilities or hidden in files downloaded from the Internet.

The main antivirus programs are already detecting the threat and adding it to their databases. Therefore, we can make sure we are not infected by it by using a good antivirus for Linux, with the latest database installed. In addition, as always, it is important to keep the distro updated with the latest patches to avoid any vulnerability that could endanger us.