1. Home
  2. Software
  3. RotaJakiro

RotaJakiro

RotaJakiro is a 64-bit Linux backdoor used by APT32. First seen in 2018, it uses a plugin architecture to extend capabilities. RotaJakiro can determine it's permission level and execute according to access type (root or user).[1][2]

ID: S1078
Type: MALWARE
Platforms: Linux
Version: 1.0
Created: 14 June 2023
Last Modified: 12 October 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .004 事件触发执行: Unix Shell Configuration Modification

When executing with non-root level permissions, RotaJakiro can install persistence by adding a command to the .bashrc file that executes a binary in the ${HOME}/.gvfsd/.profile/ folder.[1]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

RotaJakiro has used the filename systemd-daemon in an attempt to appear legitimate.[2]
Enterprise T1129 共享模块

RotaJakiro uses dynamically linked shared libraries (.so files) to execute additional functionality using dlopen() and dlsym().[1]
Enterprise T1543 .002 创建或修改系统进程: Systemd Service

Depending on the Linux distribution and when executing with root permissions, RotaJakiro may install persistence using a .service file under the /lib/systemd/system/ folder.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

RotaJakiro encrypts C2 communication using a combination of AES, XOR, ROTATE encryption, and ZLIB compression.[1]
Enterprise T1140 反混淆/解码文件或信息

RotaJakiro uses the AES algorithm, bit shifts in a function called rotate, and an XOR cipher to decrypt resources required for persistence, process guarding, and file locking. It also performs this same function on encrypted stack strings and the head and key sections in the network packet structure used for C2 communications.[1]
Enterprise T1037 启动或登录初始化脚本

Depending on the Linux distribution and when executing with root permissions, RotaJakiro may install persistence using a .conf file in the /etc/init/ folder.[1]
Enterprise T1547 .013 启动或登录自动启动执行: XDG Autostart Entries

When executing with user-level permissions, RotaJakiro can install persistence using a .desktop file under the $HOME/.config/autostart/ folder.[1]
Enterprise T1132 .001 数据编码: Standard Encoding

RotaJakiro uses ZLIB Compression to compresses data sent to the C2 server in the payload section network communication packet.[1]
Enterprise T1106 本机API

When executing with non-root permissions, RotaJakiro uses the the shmget API to create shared memory between other known RotaJakiro processes. RotaJakiro also uses the execvp API to help its dead process "resurrect".[1]
Enterprise T1082 系统信息发现

RotaJakiro executes a set of commands to collect device information, including uname. Another example is the cat /etc/*release | uniq command used to collect the current OS distribution.[1]
Enterprise T1119 自动化收集

Depending on the Linux distribution, RotaJakiro executes a set of commands to collect device information and sends the collected information to the C2 server.[1]
Enterprise T1057 进程发现

RotaJakiro can monitor the /proc/[PID] directory of known RotaJakiro processes as a part of its persistence when executing with non-root permissions. If the process is found dead, it resurrects the process. RotaJakiro processes can be matched to an associated Advisory Lock, in the /proc/locks folder, to ensure it doesn't spawn more than one process.[1]
Enterprise T1559 进程间通信

When executing with non-root permissions, RotaJakiro uses the the shmget API to create shared memory between other known RotaJakiro processes. This allows processes to communicate with each other and share their PID.[1]
Enterprise T1041 通过C2信道渗出

RotaJakiro sends device and other collected data back to the C2 using the established C2 channels over TCP. [1]
Enterprise T1095 非应用层协议

RotaJakiro uses a custom binary protocol using a type, length, value format over TCP.[2]
Enterprise T1571 非标准端口

RotaJakiro uses a custom binary protocol over TCP port 443.[2]

Groups That Use This Software

ID Name References
G0050 APT32

[2]

References

  1. Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.
  1. Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023.