Uncovering RotaJakiro: A Stealthy Linux Backdoor Malware Hidden Since 2018

Background

Researchers discovered a Linux backdoor malware that has been active for several years without detection.

Malware Identification

The sample, named RotaJakiro by 360 Netlab, first appeared on VirusTotal in May 2018. All four variants uploaded between May 2018 and January 2021 received a detection rate of 0 % from the integrated anti‑malware engines.

Technical Architecture

RotaJakiro is a 64‑bit Linux binary that employs multiple layers of obfuscation:

Payload is compressed with ZLIB.

Network traffic and embedded resources are encrypted using a combination of AES, XOR and a custom ROTATE cipher.

Embedded files (plugins, configuration data) are stored encrypted with AES, requiring runtime decryption.

At execution the malware determines whether it runs under the root user or a non‑root account and selects a corresponding execution path. It then decrypts the necessary resources with AES + ROTATE, establishes persistence (e.g., by creating hidden files or modifying init scripts), guards its process, and enforces a single‑instance policy.

Command‑and‑Control

After initialization the binary contacts a remote C2 server over an encrypted channel and awaits commands. The protocol is not publicly documented, but analysis shows that the C2 can instruct the malware to:

Collect system information (CPU, memory, network interfaces, installed packages).

Exfiltrate arbitrary files.

Manage and execute plug‑in modules.

Functional Overview

RotaJakiro implements twelve distinct functions. Three of these correspond to the execution of specific plug‑in modules whose binaries are not visible in the sample, preventing analysts from determining the ultimate malicious intent. The remaining functions include persistence, process guarding, single‑instance enforcement, and generic file operations.

Observations and Impact

The malware’s use of layered compression and encryption, combined with root‑aware execution logic, makes static analysis difficult and allows it to remain undetected by mainstream scanners. Its ability to load unknown plug‑ins suggests a modular architecture that could be extended with additional capabilities in future campaigns.