First detected in August 2016 by researchers at ESET, Rakos is a strain of malware that targets and infects Linux servers and Linux-based IoT devices. Rakos operates by performing brute-force attacks against Secure Shell (SSH) logins of targeted devices and adding them to its botnet to perform additional attacks. Devices vulnerable to a Rakos infection include those with an open SSH port and ones that have very weak or default SSH login credentials. Rakos is written in Google’s Go programming language and it launches processes from files named .javaxxx, .swap, or kworker residing within temporary directories. Once Rakos infects one device, it connects to its C2 server and requests a configuration file containing a list of login credential combinations, backup C2 servers, and the version number of the file. It also requests an IP address from the C2 server in order to spread itself to the next target. Lastly, it sets up a local web server on port 61314 in order to receive updates and upgrades. It is important to note that Rakos cannot maintain persistence after the infected device is rebooted or a factory reset is performed. However, devices that still have weak SSH credentials after a reset are susceptible to repeated compromise. Additional recommended steps to take following a Rakos infection include: connecting to the device using SSH/Telnet and looking for a process named .javaxxx, confirm that it is associated with unwanted connections, and then kill the process.
Reporting and Technical Details
- December 2016: Mysterious Rakos Botnet Rises in the Shadows by Targeting Linux Servers, IoT Devices. (Bleeping Computer)
- December 2016: ESET provides IoCs and technical details about Rakos on their WeLiveSecurity blog. (ESET)
- May 2017: Rakos Botnet Adds Support for P2P Backbone, Grows Larger (Bleeping Computer)
- May 2017: Exploring a P2P Transient Botnet (SANS ISC)