A recently observed piece of malware targeting embedded Linux systems can provide attackers with full control over the infected devices, ESET security researchers warn.
Dubbed Rakos, the newly discovered malware is attacking vulnerable devices via brute force SSH login attempts, a method already observed in various other Linux threats. The new malicious program is looking to infect both embedded devices and servers that have an open SSH port by preying on their weak credentials, with the purpose of building a large botnet.
The attack method is similar to that observed with Mirai, the Internet of Things botnet that became famous recently after infecting devices in 164 countries: the Trojan searches for poorly-secured devices, infects them, then uses them to spread further. According to ESET, the new threat starts the scan from a small list of IPs, but then incrementally expands the search to more targets.
Rakos is written in the Go language and has a binary compressed with the standard UPX tool.
The Trojan was observed loading its configuration via standard input (stdin) in YAML format. This configuration file includes various information, including a list of command and control (C&C) servers, the credentials that are used to brute-force devices, and internal parameters.
Next, the malware starts a local HTTP server, which allows future versions to kill running instances regardless of their name, and which also attempts to parse a URL query for various parameters. Additionally, the malware creates a web server listening on all interfaces, which is listening to a randomly chosen TCP port (ranging from 20,000 to 60,000).
When a remote request is sent to the device via this port, a response containing the IP address is received, researchers say. The malware also sends an initial HTTP request containing important information about the victim device to the C&C server.
Interestingly, the researchers noticed that a previous version of the Trojan also scanned for the SMTP service, but that the feature was disabled in the current build, most likely because it is still under development.
While analyzing the backdoor’s capabilities, the security researchers discovered that it is also capable of updating the configuration file from a specific C&C location, as well as upgrading itself. Moreover, because it sends information such as the device’s IP address, username, and password, it basically provides the attacker with complete control over the infected device.
The botnet wasn’t observed being yet capable of distributed denial of service (DDoS) attacks or spam spreading, but researchers believe that it might receive such functionality, considering the level of control over the infected device it provides the attackers with.
“Together with the foul language used in the code, we think it is unlikely that this is just an invasive but innocent experiment or an unfortunate exercise in academic research,” ESET researchers say.
The Trojan doesn’t feature persistence capabilities, but rebooted devices can be compromised repeatedly. To clean compromised devices, users should connect to them using SSH/Telnet, look for a process named .javaxxx, verify that it is responsible for unwanted connections, and then kill it. Next, victims should secure the SSH credentials to avoid future compromise.
