Thursday, December 26, 2024
HomeMalwareThe new Linux/Rakos, malware threatening devices and servers under SSH scan (Again)

The new Linux/Rakos, malware threatening devices and servers under SSH scan (Again)

Published on

SIEM as a Service

New linux Malware, dubbed Linux/Rakos is threatening devices and servers.The malware is written in the Go language and the binary is usually compressed with the standard  UPX tool.

Linux/Rakos performed via brute force attempts at SSH logins, in a similar way to that in which many Linux worms operate, including Linux/Moose (which spread by attacking Telnet logins)

ESET explains Linux/Rakos obvious aim of this trojan is to assemble a list of unsecured devices and to have an opportunity to create a botnet consisting of as many zombies as possible.

- Advertisement - SIEM as a Service

Most of the targeting Devices include both embedded devices and servers with an open SSH port and where a very weak password has been set. Not too extensive list of IP’s spread to targets .only low level of secured devices are most affected by Linux/Rakos,ESET said.

Most users forgot their device that had online service enabled and it was reverted to a default password after a factory reset .but the had reported when they had strong password enabled.In some cases,finally online exposure was enough for such a reset machine to end up compromised.

Threat Analysis method by ESET:

Since Author(s) used GO Language to create this malware binary has actually compromised with standard UPX TOOL.

Researcher’ Explained ,With the help of a script by RedNaga Security that maps symbols back to their respective function in the IDA Pro disassembling software, the whole analysis was simplified to reviewing the features that function names suggested, like main_loadConfig, main_startLocalHttp, main_Skaro_Upgrade, main_IPTarget_checkSSH etc.  There are strings like “Skaro” and “dalek” in the binary.

An example of Linux/Rakos configuration is available on ESET’s Github: https://github.com/eset/malware-ioc/tree/master/rakos.

The attack chain starts with the loading of a configuration file via standard input (stdin) in YAML format, the file contains information like lists of C&Cs, all the list of credentials to use in the brute force attacks against targets devices.

As the second step, the malware starts a local HTTP service available at http://127.0.0.1:61314.

“There are two reasons why this is installed: the first is as a cunning method for the future versions of the bot to kill the running instances regardless of their name by requesting http://127.0.0.1:61314/et; second, it tries to parse a URL query for parameters “ip”, “u”, “p” by requesting http://127.0.0.1:61314/ex. The purpose of this /ex HTTP resource is still unclear at the time of writing and it seems not to be referenced elsewhere in the code.” reads the analysis published by ESET.

The bot scans the SSH service on various IP addresses obtained from the C&C server. Malware researchers also noticed that previous versions of the Trojan also scanned for the SMTP service, a feature that is disabled in current versions.

Main Attack Explained by ESET:

“One of the username:password pairs from the configuration file results in a successful login to one of the target devices connection to target is successful, two commands are run on that newly-accessed victim (id, uname -m), and other checks are performed and their results reported”

“Finally the binary checks whether if it is possible to upload to the new victim and does so if the answer is affirmative”.

“We simulated an attack locally with two targets picked, 127.0.0.1 and 127.0.0.100 (originally, the attackers try 200 simultaneous targets every 10 seconds). Suppose the bot fails to connect to the first one which it then marks as FORGET, while the latter one is successful with the INSTALL notice (a SSH connection was established with the correct shipping:shipping login credentials; also note that the uploaded executable is deleted immediately after execution):”

Mitigation and cleanup:

The trojan isn’t able to maintain persistence after the system is rebooted. Instead, available devices may be compromised repeatedly.

The steps needed to clean up after a compromise are as follows:

  • connect to your device using SSH/Telnet,
  • look for a process named .javaxxx,
  • run commands like netstat or lsof with -n switch to confirm that it is responsible for unwanted connections,
  • (voluntarily) collect forensic evidence by dumping the memory space of the corresponding process (with gcore for example). One could also recover the deleted sample from /proc with cp /proc/{pid}/exe {output_file}
  • the process with the -KILL

Needless to say that victims have to secure their SSH credentials and have to do that after every factory reset.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from...

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating...

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability...

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target...