RotaJakiro

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
RotaJakiro is a sophisticated malware that has been active since 2018, with four major versions identified until 2021. It stands out among contemporary malicious software due to its advanced features and encryption techniques. RotaJakiro supports 12 functions, three of which are related to the execution of specific plugins. All sensitive resources within RotaJakiro are encrypted using multiple algorithms, including AES, XOR, ROTATE, and ZLIB compression for C2 communication. This level of obfuscation makes it challenging to detect and analyze, demonstrating the malware's focus on maintaining stealth. The analysis of the 2021 RotaJakiro sample reveals striking similarities with OceanLotus, a previously known malware variant. Both RotaJakiro and OceanLotus share similar function and message format designs, identical instruction codes, encryption parameters, and even the same assigned message codes to registration packets. The presence of a rotate() function for encryption/decryption in both pieces of code further strengthens this correlation. These similarities extend beyond mere coincidence, suggesting a common origin or developer behind these two malwares. Interestingly, RotaJakiro and OceanLotus also share the same field values at certain offsets, such as 1, 24, and 75, with the magic at offset 1 being 0x3B91011. This strong resemblance increases the likelihood that they are from the same source. Furthermore, both malwares structure their network packets similarly, consisting of a mandatory Head, along with optional Key and Payload sections. The Head of the registration packets in RotaJakiro is initialized with a separate function, and has a length of 82 bytes. Given all these findings, it's highly probable that RotaJakiro is a Linux version of OceanLotus.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
ZLib
1
Zlib is a known malware, a harmful program designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can cause significant damage, including stealing personal information, disrupting opera
OceanLotus
1
OceanLotus, also known as APT32, is a threat actor suspected to be linked with Vietnam. It primarily targets foreign companies involved in manufacturing, consumer products, consulting, and hospitality sectors that are investing or planning to invest in Vietnam. The group's recent activities indicate
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Payload
Encrypt
Encryption
Linux
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
MiraiUnspecified
1
Mirai is a type of malware that primarily targets Internet of Things (IoT) devices to form botnets, which are networks of private computers infected with malicious software and controlled as a group without the owners' knowledge. In early 2022, Mirai botnets accounted for over 7 million detections g
gh0st RATUnspecified
1
Gh0st RAT is a notorious malware that was originally developed by the C. Rufus Security Team in China and has been widely used for cyber espionage since its code leaked in 2008. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often without the user's
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the RotaJakiro Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Fortinet
a year ago
Key Findings from the 2H 2022 FortiGuard Labs Threat Report | FortiGuard Labs
MITRE
7 months ago
RotaJakiro, the Linux version of the OceanLotus
MITRE
7 months ago
RotaJakiro: A long live secret backdoor with 0 VT detection