RotaJakiro

RotaJakiro is a sophisticated malware that has been active since 2018, with four major versions identified until 2021. It stands out among contemporary malicious software due to its advanced features and encryption techniques. RotaJakiro supports 12 functions, three of which are related to the execution of specific plugins. All sensitive resources within RotaJakiro are encrypted using multiple algorithms, including AES, XOR, ROTATE, and ZLIB compression for C2 communication. This level of obfuscation makes it challenging to detect and analyze, demonstrating the malware's focus on maintaining stealth. The analysis of the 2021 RotaJakiro sample reveals striking similarities with OceanLotus, a previously known malware variant. Both RotaJakiro and OceanLotus share similar function and message format designs, identical instruction codes, encryption parameters, and even the same assigned message codes to registration packets. The presence of a rotate() function for encryption/decryption in both pieces of code further strengthens this correlation. These similarities extend beyond mere coincidence, suggesting a common origin or developer behind these two malwares. Interestingly, RotaJakiro and OceanLotus also share the same field values at certain offsets, such as 1, 24, and 75, with the magic at offset 1 being 0x3B91011. This strong resemblance increases the likelihood that they are from the same source. Furthermore, both malwares structure their network packets similarly, consisting of a mandatory Head, along with optional Key and Payload sections. The Head of the registration packets in RotaJakiro is initialized with a separate function, and has a length of 82 bytes. Given all these findings, it's highly probable that RotaJakiro is a Linux version of OceanLotus.