Security researchers have discovered a sophisticated malware written for Linux. Its purpose remains a mystery.

At least it has now been identified; researchers at Qihoo 360 Netlab (via Bleeping Computer) call it RotaJakiro. It is so named because it is a sort of two-headed beast that uses encryption keys in rotation and executes different code for root and non-root accounts.

The fact that it has been hidden for so long is a result of RotaJakiro employing a combination of ZLIB compression and several different encryption algorithms; as far back as 2018, the website scanned files with over 60 anti-virus engines At least four RotaJakiro samples have been uploaded to VirusTotal. The latest upload took place in January of this year.

The collection of antivirus engines returned clean bill-of-health results in each instance, leading the security team at Qihoo 360 Netlab to wonder if more samples exist. But that's not the only mystery.

"The real work is far from done and many questions remain: how did RotaJakiro spread, what is its purpose, does RotaJakiro have a specific target, does the community have relevant If you have any clues, we would love to know," the security team said in a blog post.

What the researchers do know is that RotaJakiro supports 12 features. Three of them are related to plug-ins, but it is not yet clear for what purpose they are used. It is possible to create a backdoor in an infected 64-bit Linux machine, theoretically allowing attackers to steal sensitive information.

Researchers also observed some shared characteristics with the Torii botnet discovered by avast in 2018, leading them to believe that there may be some connection between the two.

"From a reverse engineering perspective, RotaJakiro and Torii share a similar style, including the use of cryptographic algorithms to hide sensitive resources, a fairly old-style persistence implementation, and structured network traffic. We don't know the answer to that question exactly, but it seems that RotaJakiro and Torii are connected in some way," the researcher stated.

Whatever the intention, the days of hiding in plain sight are over with this discovery; at least four AV engines at VirusTotal are now detecting this malware, and it won't be long before dozens of others catch up! .