Linux Alert- New Dubbed Linux/Rakos Malware Can Compromise Servers And Devices

A new Linux Malware has been detected by the malware researchers of Slovakia-based security firm “ESET”. The malicious code of this “Dubbed Linux/Rakos” malware is written in the GO Language (Open Source Language, Created by Google). A number of Linux users were complaining about forums that they are facing some problems with their embedded devices. Their devices were getting overloaded with unknown network and computing processes. In actual, Linux/Rakos malware was using those devices to run malicious programs. The binary of Linux/Rakos malware is compressed with the “Standard UPX Tool”. This Linux malware is capable of compromising servers, as well as embedded devices.

How Dubbed Linux/Rakos Malware Works?

First of all, the malware conducts an SSH scan to find out the open SSH ports. Then, it performs a brute force attack to get the access of poorly protected SSH ports. Almost every Linux malware performs the same action to get access to the network. This Linux/Rakos malware is a little bit different because it can compromise both servers and embedded devices. After compromising an embedded device and server, Linux/Rakos malware can convert it into a botnet. Through the command and control servers, attackers can perform various malicious activities through the botnet. The malware can easily compromise those devices which are protected with easy and simple passwords. According to malware researchers, in some cases, they have noticed that the devices protected with strong passwords were also in the control of this malware. All these devices were enabled to use online services and after a factory reset, the malware was using their default password to get access.

Step 1

To start the brute force attack, the attackers are loading a configuration file into the system through “stdin” (standard input). This file is written in human-readable data serialization language YAML. The file contains information about the command and control servers and a list of credentials which the malware have to use in brute force attack.

Step 2

After that, Linux/Rakos malware starts an HTTP service at the local host (http://127.0.0.1:61314). According to the researchers of ESET, the purpose of attackers behind this activation is still unclear but there could be two reasons for it. First one is, as a cunning method for the future versions of the bot to kill the running instances regardless of their name by requesting http://127.0.0.1:61314/et; second, it tries to parse a URL query for parameters “ip”, “u”, “p” by requesting http://127.0.0.1:61314/ex.

The previous version of this malware was also scanning IP addresses for SMTP service, but this version is only scanning the IP addresses with the help of command and control servers to find out the SSH ports. The current version of Linux/Rakos is also creating a web server listening on all the interfaces.

After Getting Access of Device

Once the Linux/Rakos malware got the access of the device, it runs two commands. By running “id and uname – m” commands, the malware checks whether it is possible to upload malicious codes into the targeted device or not. The attackers can also upgrade “.YAML configuration file” from backend through command and control servers.

This malware is using following command and control Servers to take commands:

185.14.29.65

185.82.216.125

195.123.210.100

185.20.184.117

193.169.245.68

46.8.44.55

5.34.180.64

5.34.183.231

217.12.208.28

185.14.30.78

217.12.203.31

Mitigation

This malware is not capable of continuing the same process after the system reboot. Therefore you can use following security tips to protect your system from this malware:

• Through SSH or Telnet, Connect To Your Device

• Locate “.javaxxx” named process.

• List out all the unwanted and unknown processes by using commands such as “netstat and Lsof-n”.

• (voluntarily) collect forensic evidence by dumping the memory space of the corresponding process (with gcore for example). One could also recover the deleted sample from /proc with cp /proc/{pid}/exe {output_file}

• the process with the -KILL.

Source: welivesecurity.com

Also Read: