Linux/Rakos is the name of the latest form of Linux malware currently on the loose. The malware is designed to search for victims via SSH scan. The code is written in the Go language. The binary is most likely compressed using the standard UPX tool, researchers say.
Users have been complaining that their embedded devices have been overloaded with computing and network tasks. The culprit appears to be the Linux/Rakos malware.
Related: Linux/NyaDrop: New Malware on the IoT Horizon
Linux/Rakos Attacks Explained
Attacks are based on brute force attempts at SSH logins. This is how Linux malware pieces typically operate. Another example for such an attack is the Linux/Moose. Linux/Rakos can compromise both embedded devices and servers with an open SSH port. The port is protected but the password is quite simple and easy to guess.
Once the malware has taken over a device, it can include it in a botnet that serves for various malicious activities. For one, the malware will scan the Internet from a limited list with IP addresses, and then it will spread itself to more devices.
Related: Linux.PNScan Malware Brute-Forces Linux-Based Routers
What the malware wants to do is create a list of unsecured devices. Then it would attempt to create a botnet consisting of as many zombies as possible. The scan would start a limited list of IPs and would then spread to more targets. Luckily, only devices with low security are endangered by Linux/Rakos. What does this mean? Some users have reported having strong passwords but forgetting to disable the online service of their device. The password was changed back to a default one after a factory reset. Researchers say that for this to happen only several hours of online exposure were needed.
How Does a Linux/Rakos Attack Start?
The attack scenario starts when a configuration file is loaded via standard input in YAML format. The file itself has information lists of command and control servers. The lists have credentials to use in the brute force attacks. Here’s an example of a configuration of the malware:
https://github.com/eset/malware-ioc/tree/master/rakos
What Is the Mitigation against a Linux/Rakos Attack?
Researchers say that the malware can’t set up a persistent installation. Nonetheless, the targeted hosts can be attacked repeatedly.
Infected devices can be fixed by following the steps below, as advised by ESET researchers:
- Connect to your device using SSH/Telnet;
- Locate a process named .javaxxx;
- Run commands like netstat or lsof with -n switch to makesure it is responsible for unwanted connections;
- Collect forensic evidence by dumping the memory space of the corresponding process (e.g. with gcore). One could also recover the deleted sample from /proc with cp /proc/{pid}/exe {output_file}
- End the process with the -KILL.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: