| enterprise |
T1119 |
Automated Collection |
Depending on the Linux distribution, RotaJakiro executes a set of commands to collect device information and sends the collected information to the C2 server. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.013 |
XDG Autostart Entries |
When executing with user-level permissions, RotaJakiro can install persistence using a .desktop file under the $HOME/.config/autostart/ folder. |
| enterprise |
T1037 |
Boot or Logon Initialization Scripts |
Depending on the Linux distribution and when executing with root permissions, RotaJakiro may install persistence using a .conf file in the /etc/init/ folder. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.002 |
Systemd Service |
Depending on the Linux distribution and when executing with root permissions, RotaJakiro may install persistence using a .service file under the /lib/systemd/system/ folder. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
RotaJakiro uses ZLIB Compression to compresses data sent to the C2 server in the payload section network communication packet. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
RotaJakiro uses the AES algorithm, bit shifts in a function called rotate, and an XOR cipher to decrypt resources required for persistence, process guarding, and file locking. It also performs this same function on encrypted stack strings and the head and key sections in the network packet structure used for C2 communications. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
RotaJakiro encrypts C2 communication using a combination of AES, XOR, ROTATE encryption, and ZLIB compression. |
| enterprise |
T1546 |
Event Triggered Execution |
- |
| enterprise |
T1546.004 |
Unix Shell Configuration Modification |
When executing with non-root level permissions, RotaJakiro can install persistence by adding a command to the .bashrc file that executes a binary in the ${HOME}/.gvfsd/.profile/ folder. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
RotaJakiro sends device and other collected data back to the C2 using the established C2 channels over TCP. |
| enterprise |
T1559 |
Inter-Process Communication |
When executing with non-root permissions, RotaJakiro uses the the shmget API to create shared memory between other known RotaJakiro processes. This allows processes to communicate with each other and share their PID. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Resource Name or Location |
RotaJakiro has used the filename systemd-daemon in an attempt to appear legitimate. |
| enterprise |
T1106 |
Native API |
When executing with non-root permissions, RotaJakiro uses the the shmget API to create shared memory between other known RotaJakiro processes. RotaJakiro also uses the execvp API to help its dead process “resurrect”. |
| enterprise |
T1095 |
Non-Application Layer Protocol |
RotaJakiro uses a custom binary protocol using a type, length, value format over TCP. |
| enterprise |
T1571 |
Non-Standard Port |
RotaJakiro uses a custom binary protocol over TCP port 443. |
| enterprise |
T1057 |
Process Discovery |
RotaJakiro can monitor the /proc/[PID] directory of known RotaJakiro processes as a part of its persistence when executing with non-root permissions. If the process is found dead, it resurrects the process. RotaJakiro processes can be matched to an associated Advisory Lock, in the /proc/locks folder, to ensure it doesn’t spawn more than one process. |
| enterprise |
T1129 |
Shared Modules |
RotaJakiro uses dynamically linked shared libraries (.so files) to execute additional functionality using dlopen() and dlsym(). |
| enterprise |
T1082 |
System Information Discovery |
RotaJakiro executes a set of commands to collect device information, including uname. Another example is the cat /etc/*release | uniq command used to collect the current OS distribution. |