1. Home
  2. Software
  3. RotaJakiro

RotaJakiro

RotaJakiro is a 64-bit Linux backdoor used by APT32. First seen in 2018, it uses a plugin architecture to extend capabilities. RotaJakiro can determine it's permission level and execute according to access type (root or user).[1][2]

ID: S1078
Type: MALWARE
Platforms: Linux
Version: 1.0
Created: 14 June 2023
Last Modified: 12 October 2023
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection

Depending on the Linux distribution, RotaJakiro executes a set of commands to collect device information and sends the collected information to the C2 server.[1]
Enterprise T1547 .013 Boot or Logon Autostart Execution: XDG Autostart Entries

When executing with user-level permissions, RotaJakiro can install persistence using a .desktop file under the $HOME/.config/autostart/ folder.[1]
Enterprise T1037 Boot or Logon Initialization Scripts

Depending on the Linux distribution and when executing with root permissions, RotaJakiro may install persistence using a .conf file in the /etc/init/ folder.[1]
Enterprise T1543 .002 Create or Modify System Process: Systemd Service

Depending on the Linux distribution and when executing with root permissions, RotaJakiro may install persistence using a .service file under the /lib/systemd/system/ folder.[1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

RotaJakiro uses ZLIB Compression to compresses data sent to the C2 server in the payload section network communication packet.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

RotaJakiro uses the AES algorithm, bit shifts in a function called rotate, and an XOR cipher to decrypt resources required for persistence, process guarding, and file locking. It also performs this same function on encrypted stack strings and the head and key sections in the network packet structure used for C2 communications.[1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

RotaJakiro encrypts C2 communication using a combination of AES, XOR, ROTATE encryption, and ZLIB compression.[1]
Enterprise T1546 .004 Event Triggered Execution: Unix Shell Configuration Modification

When executing with non-root level permissions, RotaJakiro can install persistence by adding a command to the .bashrc file that executes a binary in the ${HOME}/.gvfsd/.profile/ folder.[1]
Enterprise T1041 Exfiltration Over C2 Channel

RotaJakiro sends device and other collected data back to the C2 using the established C2 channels over TCP. [1]
Enterprise T1559 Inter-Process Communication

When executing with non-root permissions, RotaJakiro uses the the shmget API to create shared memory between other known RotaJakiro processes. This allows processes to communicate with each other and share their PID.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

RotaJakiro has used the filename systemd-daemon in an attempt to appear legitimate.[2]
Enterprise T1106 Native API

When executing with non-root permissions, RotaJakiro uses the the shmget API to create shared memory between other known RotaJakiro processes. RotaJakiro also uses the execvp API to help its dead process "resurrect".[1]
Enterprise T1095 Non-Application Layer Protocol

RotaJakiro uses a custom binary protocol using a type, length, value format over TCP.[2]
Enterprise T1571 Non-Standard Port

RotaJakiro uses a custom binary protocol over TCP port 443.[2]
Enterprise T1057 Process Discovery

RotaJakiro can monitor the /proc/[PID] directory of known RotaJakiro processes as a part of its persistence when executing with non-root permissions. If the process is found dead, it resurrects the process. RotaJakiro processes can be matched to an associated Advisory Lock, in the /proc/locks folder, to ensure it doesn't spawn more than one process.[1]
Enterprise T1129 Shared Modules

RotaJakiro uses dynamically linked shared libraries (.so files) to execute additional functionality using dlopen() and dlsym().[1]
Enterprise T1082 System Information Discovery

RotaJakiro executes a set of commands to collect device information, including uname. Another example is the cat /etc/*release | uniq command used to collect the current OS distribution.[1]

Groups That Use This Software

ID Name References
G0050 APT32

[2]

References

  1. Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.
  1. Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023.