Rakos Malware that targets IoT devices and servers under SSH

Security researchers at ESET uncovered a new malware that targets IoT-devices and servers running Linux. Rakos malware will run a bruteforce attack against SSH to find out the password to spread over the network and infect more devices.

First time of activities for this malware was observed August 2016. The malware is very stealthy and by infecting the remote system it will create a tmp folder name .javaxxx , .swap and kworker.

The malware will connect to the C&C server to get the configuration file and the username/password list to attempt during bruteforce. This beside the subnets to scan for active hosts.

Rakos dubging logs sourced ESET

Rakos dubging logs sourced ESET

Rakos can be used as a backdoor to have sensitive information like login credentials and a previous version was used to attack SMTP servers this to send spams and phishing emails. At the moment of this release ESET do not find in the bot settings any indecation of spamming activity or SMTP target.

The malware was mostly used against ssh and to bruteforce passwords on local networks.