GSD-2021-1000051

Source
https://data.gsd.id/GSD-2021-1000051
Import Source
https://github.com/cloudsecurityalliance/gsd-database/blob/main/2021/1000xxx/GSD-2021-1000051.json
JSON Data
https://api.osv.dev/v1/vulns/GSD-2021-1000051
Withdrawn
2023-03-14T07:04:18.325187Z
Published
2021-05-31T15:39:45.031586Z
Modified
2023-03-14T07:04:18.325187Z
Summary
malware in "RotaJakiro" version all
Details

A new Linux malware labeled "RotaJakiro" has been found for 64bit Linux. When run as a root user the program creates entries in systems to run binaries labeled:

/bin/systemd/systemd-daemon /usr/lib/systemd/systemd-daemon

When run as a non root user it creates an autostart script$HOME/.config/au-tostart/gnomehelper.desktop

to run binaries labeled as:

$HOME/.dbus/sessions/session-dbus $HOME/.gvfsd/.profile/gvfsd-helper

MD5 hashes of the binaries involved include:

MD5:1d45cd2c1283f927940c099b8fab593b MD5:11ad1e9b74b144d564825d65d7fb37d6 MD5:5c0f375e92f551e8f2321b141c15c48f MD5:64f6cfe44ba08b0babdd3904233c4857

The "RotaJakiro" malware interacts with command and control servers at the following domains on port 443, but using a custom protocol:

news.thaprior.net:443 blog.eduelects.com:443 cdn.mirror-codes.net:443 status.sublineover.net:443

For more details please see the Qihoo 360 Netlab blog posting.

References

Affected packages