Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Rakos Malware Takes Over Embedded Linux Devices

A recently observed piece of malware targeting embedded Linux systems can provide attackers with full control over the infected devices, ESET security researchers warn.

A recently observed piece of malware targeting embedded Linux systems can provide attackers with full control over the infected devices, ESET security researchers warn.

Dubbed Rakos, the newly discovered malware is attacking vulnerable devices via brute force SSH login attempts, a method already observed in various other Linux threats. The new malicious program is looking to infect both embedded devices and servers that have an open SSH port by preying on their weak credentials, with the purpose of building a large botnet.

The attack method is similar to that observed with Mirai, the Internet of Things botnet that became famous recently after infecting devices in 164 countries: the Trojan searches for poorly-secured devices, infects them, then uses them to spread further. According to ESET, the new threat starts the scan from a small list of IPs, but then incrementally expands the search to more targets.

Rakos is written in the Go language and has a binary compressed with the standard UPX tool. 

The Trojan was observed loading its configuration via standard input (stdin) in YAML format. This configuration file includes various information, including a list of command and control (C&C) servers, the credentials that are used to brute-force devices, and internal parameters.

Next, the malware starts a local HTTP server, which allows future versions to kill running instances regardless of their name, and which also attempts to parse a URL query for various parameters. Additionally, the malware creates a web server listening on all interfaces, which is listening to a randomly chosen TCP port (ranging from 20,000 to 60,000).

When a remote request is sent to the device via this port, a response containing the IP address is received, researchers say. The malware also sends an initial HTTP request containing important information about the victim device to the C&C server.

Interestingly, the researchers noticed that a previous version of the Trojan also scanned for the SMTP service, but that the feature was disabled in the current build, most likely because it is still under development.

While analyzing the backdoor’s capabilities, the security researchers discovered that it is also capable of updating the configuration file from a specific C&C location, as well as upgrading itself. Moreover, because it sends information such as the device’s IP address, username, and password, it basically provides the attacker with complete control over the infected device.

The botnet wasn’t observed being yet capable of distributed denial of service (DDoS) attacks or spam spreading, but researchers believe that it might receive such functionality, considering the level of control over the infected device it provides the attackers with.

“Together with the foul language used in the code, we think it is unlikely that this is just an invasive but innocent experiment or an unfortunate exercise in academic research,” ESET researchers say.

The Trojan doesn’t feature persistence capabilities, but rebooted devices can be compromised repeatedly. To clean compromised devices, users should connect to them using SSH/Telnet, look for a process named .javaxxx, verify that it is responsible for unwanted connections, and then kill it. Next, victims should secure the SSH credentials to avoid future compromise.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.