{ "Event": { "analysis": "2", "date": "2016-12-22", "extends_uuid": "", "info": "OSINT - New Linux/Rakos threat: devices and servers under SSH scan (again)", "publish_timestamp": "1482398955", "published": true, "threat_level_id": "3", "timestamp": "1482398934", "uuid": "585b9a80-9910-4d24-a695-4ac4950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#670080", "local": false, "name": "ms-caro-malware:malware-platform=\"Linux\"", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1482398391", "to_ids": false, "type": "link", "uuid": "585b9ab7-3758-4e28-8a36-420d950d210f", "value": "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1482398411", "to_ids": false, "type": "comment", "uuid": "585b9acb-d250-4b85-9788-454d950d210f", "value": "Apparently, frustrated users complain more often recently on various forums about their embedded devices being overloaded with computing and network tasks. What these particular posts have in common is the name of the process causing the problem. It is executed from a temporary directory and disguised as a part of the Java framework, namely \u00e2\u20ac\u0153.javaxxx\u00e2\u20ac\u009d. Additional names like \u00e2\u20ac\u0153.swap\u00e2\u20ac\u009d or \u00e2\u20ac\u0153kworker\u00e2\u20ac\u009d are also used. A few weeks ago, we discussed the recent Mirai incidents and Mirai-connected IoT security problems in The Hive Mind: When IoT devices go rogue and all that was written then still holds true.\r\nAttack vector\r\n\r\nThe attack is performed via brute force attempts at SSH logins, in a similar way to that in which many Linux worms operate, including Linux/Moose (which spread by attacking Telnet logins) \u00e2\u20ac\u201c also referenced here \u00e2\u20ac\u201c as analyzed by ESET since last year. The targets include both embedded devices and servers with an open SSH port and where a very weak password has been set. The obvious aim of this trojan is to assemble a list of unsecured devices and to have an opportunity to create a botnet consisting of as many zombies as possible. The scan starts with not too extensive list of IPs and spreads incrementally to more targets. Only machines that represent low-hanging fruit from the security perspective are compromised. Note that victims reported cases when they had had a strong password but they forgot their device that had online service enabled and it was reverted to a default password after a factory reset. Just a couple of hours of online exposure was enough for such a reset machine to end up compromised!" }, { "category": "Payload delivery", "comment": "EM_X86_64 - 688", "deleted": false, "disable_correlation": false, "timestamp": "1482398536", "to_ids": true, "type": "sha1", "uuid": "585b9b48-e214-418d-a783-4282950d210f", "value": "f80836349d6e97251030190ecd30dda0047f1ee6" }, { "category": "Payload delivery", "comment": "EM_X86_64 - 694", "deleted": false, "disable_correlation": false, "timestamp": "1482398537", "to_ids": true, "type": "sha1", "uuid": "585b9b49-9dbc-48f4-805c-4440950d210f", "value": "def04ec688ac6b41580dd3a6e78445b56536ba34" }, { "category": "Payload delivery", "comment": "EM_X86_64 - 695", "deleted": false, "disable_correlation": false, "timestamp": "1482398537", "to_ids": true, "type": "sha1", "uuid": "585b9b49-1e04-4b8b-bf8d-4094950d210f", "value": "3435ca5505ce8dfe8e1b22e0ebd4f41c60050cc0" }, { "category": "Payload delivery", "comment": "EM_X86_64\t- 697", "deleted": false, "disable_correlation": false, "timestamp": "1482398538", "to_ids": true, "type": "sha1", "uuid": "585b9b4a-ac98-421e-9bad-4177950d210f", "value": "e53c73fe6a552eab720e7ee685ea4e159ebd4fdd" }, { "category": "Payload delivery", "comment": "EM_X86_64 - 698", "deleted": false, "disable_correlation": false, "timestamp": "1482398538", "to_ids": true, "type": "sha1", "uuid": "585b9b4a-1170-424a-a910-47e2950d210f", "value": "c93bddd9cdb4f2e185b54a4931257954e25e7c37" }, { "category": "Payload delivery", "comment": "EM_MIPS - ???", "deleted": false, "disable_correlation": false, "timestamp": "1482398539", "to_ids": true, "type": "sha1", "uuid": "585b9b4b-e118-4029-acad-457c950d210f", "value": "14af6254d9ca310b4d52778d050cb8dd7a5de1d8" }, { "category": "Payload delivery", "comment": "EM_386 - 700", "deleted": false, "disable_correlation": false, "timestamp": "1482398539", "to_ids": true, "type": "sha1", "uuid": "585b9b4b-f3e4-4409-9055-4e76950d210f", "value": "c54d50025d9f66ce2ace3361a8626aee468d94ba" }, { "category": "Payload delivery", "comment": "EM_386 - 706", "deleted": false, "disable_correlation": false, "timestamp": "1482398540", "to_ids": true, "type": "sha1", "uuid": "585b9b4c-50fc-4127-8fe1-4124950d210f", "value": "36b2fffe98f517355425797fc242f2cb82271c0c" }, { "category": "Payload delivery", "comment": "EM_386\t - 708", "deleted": false, "disable_correlation": false, "timestamp": "1482398541", "to_ids": true, "type": "sha1", "uuid": "585b9b4d-8288-425a-b8ee-4ca7950d210f", "value": "e46e8e5e823eb0466981afb7683fd918d6fe78a9" }, { "category": "Payload delivery", "comment": "EM_386\t - 711", "deleted": false, "disable_correlation": false, "timestamp": "1482398541", "to_ids": true, "type": "sha1", "uuid": "585b9b4d-db34-4230-90a2-4661950d210f", "value": "0492e5c07c1426af9ce73ad33e00a3fd8477c6c2" }, { "category": "Network activity", "comment": "C&C Servers", "deleted": false, "disable_correlation": false, "timestamp": "1482398559", "to_ids": true, "type": "ip-dst", "uuid": "585b9b5f-495c-448d-bf2f-453a950d210f", "value": "217.12.208.28" }, { "category": "Network activity", "comment": "C&C Servers", "deleted": false, "disable_correlation": false, "timestamp": "1482398559", "to_ids": true, "type": "ip-dst", "uuid": "585b9b5f-a210-4acc-afcb-4dc9950d210f", "value": "217.12.203.31" }, { "category": "Network activity", "comment": "C&C Servers", "deleted": false, "disable_correlation": false, "timestamp": "1482398560", "to_ids": true, "type": "ip-dst", "uuid": "585b9b60-ad74-4c0d-9e30-4464950d210f", "value": "193.169.245.68" }, { "category": "Network activity", "comment": "C&C Servers", "deleted": false, "disable_correlation": false, "timestamp": "1482398560", "to_ids": true, "type": "ip-dst", "uuid": "585b9b60-8f78-45ab-a703-42a7950d210f", "value": "46.8.44.55" }, { "category": "Network activity", "comment": "C&C Servers", "deleted": false, "disable_correlation": false, "timestamp": "1482398561", "to_ids": true, "type": "ip-dst", "uuid": "585b9b61-2478-4795-8f7f-4fd7950d210f", "value": "195.123.210.100" }, { "category": "Network activity", "comment": "C&C Servers", "deleted": false, "disable_correlation": false, "timestamp": "1482398561", "to_ids": true, "type": "ip-dst", "uuid": "585b9b62-9ef4-47e7-b2d5-42cc950d210f", "value": "5.34.183.231" }, { "category": "Network activity", "comment": "C&C Servers", "deleted": false, "disable_correlation": false, "timestamp": "1482398562", "to_ids": true, "type": "ip-dst", "uuid": "585b9b62-8c0c-435b-bbf7-4be8950d210f", "value": "5.34.180.64" }, { "category": "Network activity", "comment": "C&C Servers", "deleted": false, "disable_correlation": false, "timestamp": "1482398563", "to_ids": true, "type": "ip-dst", "uuid": "585b9b63-a688-4ec8-af50-4fe8950d210f", "value": "185.82.216.125" }, { "category": "Network activity", "comment": "C&C Servers", "deleted": false, "disable_correlation": false, "timestamp": "1482398563", "to_ids": true, "type": "ip-dst", "uuid": "585b9b63-0f50-43f1-b3e2-4e46950d210f", "value": "185.14.30.78" }, { "category": "Network activity", "comment": "C&C Servers", "deleted": false, "disable_correlation": false, "timestamp": "1482398564", "to_ids": true, "type": "ip-dst", "uuid": "585b9b64-2a68-480f-b9e2-4241950d210f", "value": "185.14.29.65" }, { "category": "Network activity", "comment": "C&C Servers", "deleted": false, "disable_correlation": false, "timestamp": "1482398564", "to_ids": true, "type": "ip-dst", "uuid": "585b9b64-a638-4fe0-b8ea-4b4d950d210f", "value": "185.20.184.117" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1482398647", "to_ids": false, "type": "link", "uuid": "585b9bb7-0e94-45e9-bc34-41d4950d210f", "value": "https://github.com/eset/malware-ioc/tree/master/rakos" }, { "category": "Payload delivery", "comment": "EM_386\t - 711 - Xchecked via VT: 0492e5c07c1426af9ce73ad33e00a3fd8477c6c2", "deleted": false, "disable_correlation": false, "timestamp": "1482398775", "to_ids": true, "type": "sha256", "uuid": "585b9c37-6438-41d6-949a-47cd02de0b81", "value": "62f875a31c5f8541a68176d03c3b9d6d0ee6fa90cf54307d7d07aed5fc573797" }, { "category": "Payload delivery", "comment": "EM_386\t - 711 - Xchecked via VT: 0492e5c07c1426af9ce73ad33e00a3fd8477c6c2", "deleted": false, "disable_correlation": false, "timestamp": "1482398776", "to_ids": true, "type": "md5", "uuid": "585b9c38-6028-4ccd-b272-463302de0b81", "value": "7b88cf30540ab8df0ded406097c51b46" }, { "category": "External analysis", "comment": "EM_386\t - 711 - Xchecked via VT: 0492e5c07c1426af9ce73ad33e00a3fd8477c6c2", "deleted": false, "disable_correlation": false, "timestamp": "1482398776", "to_ids": false, "type": "link", "uuid": "585b9c38-f430-495f-9bdf-4cb802de0b81", "value": "https://www.virustotal.com/file/62f875a31c5f8541a68176d03c3b9d6d0ee6fa90cf54307d7d07aed5fc573797/analysis/1481878860/" }, { "category": "Payload delivery", "comment": "EM_386\t - 708 - Xchecked via VT: e46e8e5e823eb0466981afb7683fd918d6fe78a9", "deleted": false, "disable_correlation": false, "timestamp": "1482398777", "to_ids": true, "type": "sha256", "uuid": "585b9c39-5eac-4ab3-8d4d-46aa02de0b81", "value": "90cd3e16d6d0069e758bb7c1ec929354be24f52857bd77fdd246e20e4aaca75d" }, { "category": "Payload delivery", "comment": "EM_386\t - 708 - Xchecked via VT: e46e8e5e823eb0466981afb7683fd918d6fe78a9", "deleted": false, "disable_correlation": false, "timestamp": "1482398778", "to_ids": true, "type": "md5", "uuid": "585b9c3a-7244-475b-ab43-4a9302de0b81", "value": "ca21c63269febcfe73fec9e1041ed903" }, { "category": "External analysis", "comment": "EM_386\t - 708 - Xchecked via VT: e46e8e5e823eb0466981afb7683fd918d6fe78a9", "deleted": false, "disable_correlation": false, "timestamp": "1482398779", "to_ids": false, "type": "link", "uuid": "585b9c3b-0fbc-42f5-93d8-43c902de0b81", "value": "https://www.virustotal.com/file/90cd3e16d6d0069e758bb7c1ec929354be24f52857bd77fdd246e20e4aaca75d/analysis/1481878661/" }, { "category": "Payload delivery", "comment": "EM_386 - 706 - Xchecked via VT: 36b2fffe98f517355425797fc242f2cb82271c0c", "deleted": false, "disable_correlation": false, "timestamp": "1482398780", "to_ids": true, "type": "sha256", "uuid": "585b9c3c-1334-426d-86a9-4aca02de0b81", "value": "2a77e8d43b347c4ccf80271493eedf7b7b7f45d1e30e818e321657cf9a14f1d9" }, { "category": "Payload delivery", "comment": "EM_386 - 706 - Xchecked via VT: 36b2fffe98f517355425797fc242f2cb82271c0c", "deleted": false, "disable_correlation": false, "timestamp": "1482398780", "to_ids": true, "type": "md5", "uuid": "585b9c3c-33b4-45ad-baee-4b5f02de0b81", "value": "96c5ec03c20491389a240ead5cbd72fe" }, { "category": "External analysis", "comment": "EM_386 - 706 - Xchecked via VT: 36b2fffe98f517355425797fc242f2cb82271c0c", "deleted": false, "disable_correlation": false, "timestamp": "1482398781", "to_ids": false, "type": "link", "uuid": "585b9c3d-a0d0-4704-9c9b-46d902de0b81", "value": "https://www.virustotal.com/file/2a77e8d43b347c4ccf80271493eedf7b7b7f45d1e30e818e321657cf9a14f1d9/analysis/1482355624/" }, { "category": "Payload delivery", "comment": "EM_386 - 700 - Xchecked via VT: c54d50025d9f66ce2ace3361a8626aee468d94ba", "deleted": false, "disable_correlation": false, "timestamp": "1482398782", "to_ids": true, "type": "sha256", "uuid": "585b9c3e-5974-4d0d-89eb-4bb802de0b81", "value": "efedce38a1908a27115e05b3e62fab52f68fae2db5ae1c50c455f007f964c6d2" }, { "category": "Payload delivery", "comment": "EM_386 - 700 - Xchecked via VT: c54d50025d9f66ce2ace3361a8626aee468d94ba", "deleted": false, "disable_correlation": false, "timestamp": "1482398782", "to_ids": true, "type": "md5", "uuid": "585b9c3e-c5c0-404a-9afb-41c602de0b81", "value": "ce12f465f353bb1b64f790a5e4cd45af" }, { "category": "External analysis", "comment": "EM_386 - 700 - Xchecked via VT: c54d50025d9f66ce2ace3361a8626aee468d94ba", "deleted": false, "disable_correlation": false, "timestamp": "1482398783", "to_ids": false, "type": "link", "uuid": "585b9c3f-5838-4479-af90-4fdf02de0b81", "value": "https://www.virustotal.com/file/efedce38a1908a27115e05b3e62fab52f68fae2db5ae1c50c455f007f964c6d2/analysis/1482355624/" }, { "category": "Payload delivery", "comment": "EM_MIPS - ??? - Xchecked via VT: 14af6254d9ca310b4d52778d050cb8dd7a5de1d8", "deleted": false, "disable_correlation": false, "timestamp": "1482398784", "to_ids": true, "type": "sha256", "uuid": "585b9c40-a4c4-45ee-a6ee-4d2d02de0b81", "value": "a7ce7dc40bb8abf835efae5ebacc82cb8af2cc57b5021f0d28dc14924022c85d" }, { "category": "Payload delivery", "comment": "EM_MIPS - ??? - Xchecked via VT: 14af6254d9ca310b4d52778d050cb8dd7a5de1d8", "deleted": false, "disable_correlation": false, "timestamp": "1482398785", "to_ids": true, "type": "md5", "uuid": "585b9c41-9ce4-4657-8bf7-4add02de0b81", "value": "9a0ea27a15899e47bfe6fcc7c9df36c6" }, { "category": "External analysis", "comment": "EM_MIPS - ??? - Xchecked via VT: 14af6254d9ca310b4d52778d050cb8dd7a5de1d8", "deleted": false, "disable_correlation": false, "timestamp": "1482398785", "to_ids": false, "type": "link", "uuid": "585b9c41-1c94-44e6-93f6-440b02de0b81", "value": "https://www.virustotal.com/file/a7ce7dc40bb8abf835efae5ebacc82cb8af2cc57b5021f0d28dc14924022c85d/analysis/1482355624/" }, { "category": "Payload delivery", "comment": "EM_X86_64 - 698 - Xchecked via VT: c93bddd9cdb4f2e185b54a4931257954e25e7c37", "deleted": false, "disable_correlation": false, "timestamp": "1482398786", "to_ids": true, "type": "sha256", "uuid": "585b9c42-30e0-4919-b4cc-4bd902de0b81", "value": "d59ffe12b75f596a4a30074690f96497800a6ed97be8248c573e4048adac7e05" }, { "category": "Payload delivery", "comment": "EM_X86_64 - 698 - Xchecked via VT: c93bddd9cdb4f2e185b54a4931257954e25e7c37", "deleted": false, "disable_correlation": false, "timestamp": "1482398787", "to_ids": true, "type": "md5", "uuid": "585b9c43-b8f0-4bd5-9366-4f9502de0b81", "value": "eedab74ca1303647ade4fb0b0b588a36" }, { "category": "External analysis", "comment": "EM_X86_64 - 698 - Xchecked via VT: c93bddd9cdb4f2e185b54a4931257954e25e7c37", "deleted": false, "disable_correlation": false, "timestamp": "1482398788", "to_ids": false, "type": "link", "uuid": "585b9c44-fad4-4ea6-a16a-4b6c02de0b81", "value": "https://www.virustotal.com/file/d59ffe12b75f596a4a30074690f96497800a6ed97be8248c573e4048adac7e05/analysis/1482355623/" }, { "category": "Payload delivery", "comment": "EM_X86_64\t- 697 - Xchecked via VT: e53c73fe6a552eab720e7ee685ea4e159ebd4fdd", "deleted": false, "disable_correlation": false, "timestamp": "1482398788", "to_ids": true, "type": "sha256", "uuid": "585b9c44-f7d0-4d5d-bb8b-417f02de0b81", "value": "3fe9e1e0a2e626ef10cc443ec1725a8c17cbfa323864e0eb9359399177998470" }, { "category": "Payload delivery", "comment": "EM_X86_64\t- 697 - Xchecked via VT: e53c73fe6a552eab720e7ee685ea4e159ebd4fdd", "deleted": false, "disable_correlation": false, "timestamp": "1482398789", "to_ids": true, "type": "md5", "uuid": "585b9c45-e288-4c14-9377-4e3b02de0b81", "value": "19705141888917dddda4cac32ec8b6fc" }, { "category": "External analysis", "comment": "EM_X86_64\t- 697 - Xchecked via VT: e53c73fe6a552eab720e7ee685ea4e159ebd4fdd", "deleted": false, "disable_correlation": false, "timestamp": "1482398790", "to_ids": false, "type": "link", "uuid": "585b9c46-725c-4e0a-8f2a-41d802de0b81", "value": "https://www.virustotal.com/file/3fe9e1e0a2e626ef10cc443ec1725a8c17cbfa323864e0eb9359399177998470/analysis/1482355623/" }, { "category": "Payload delivery", "comment": "EM_X86_64 - 695 - Xchecked via VT: 3435ca5505ce8dfe8e1b22e0ebd4f41c60050cc0", "deleted": false, "disable_correlation": false, "timestamp": "1482398790", "to_ids": true, "type": "sha256", "uuid": "585b9c46-39d0-42e2-a244-41f802de0b81", "value": "d731ccb407a924ca56fa9b3690e0b7debd1cce61c6de8ec63ede3a992c8af33e" }, { "category": "Payload delivery", "comment": "EM_X86_64 - 695 - Xchecked via VT: 3435ca5505ce8dfe8e1b22e0ebd4f41c60050cc0", "deleted": false, "disable_correlation": false, "timestamp": "1482398791", "to_ids": true, "type": "md5", "uuid": "585b9c47-89cc-4c82-8a7e-440802de0b81", "value": "1c672ba32e481faeccade0ad43ea5a08" }, { "category": "External analysis", "comment": "EM_X86_64 - 695 - Xchecked via VT: 3435ca5505ce8dfe8e1b22e0ebd4f41c60050cc0", "deleted": false, "disable_correlation": false, "timestamp": "1482398791", "to_ids": false, "type": "link", "uuid": "585b9c47-9508-4c02-b9dd-494402de0b81", "value": "https://www.virustotal.com/file/d731ccb407a924ca56fa9b3690e0b7debd1cce61c6de8ec63ede3a992c8af33e/analysis/1482355623/" }, { "category": "Payload delivery", "comment": "EM_X86_64 - 694 - Xchecked via VT: def04ec688ac6b41580dd3a6e78445b56536ba34", "deleted": false, "disable_correlation": false, "timestamp": "1482398792", "to_ids": true, "type": "sha256", "uuid": "585b9c48-d588-436a-b429-45e802de0b81", "value": "83160da5a4cb335ea2a9a72bc96c833cd7eab9df96a61c1d6f01e13668046b25" }, { "category": "Payload delivery", "comment": "EM_X86_64 - 694 - Xchecked via VT: def04ec688ac6b41580dd3a6e78445b56536ba34", "deleted": false, "disable_correlation": false, "timestamp": "1482398793", "to_ids": true, "type": "md5", "uuid": "585b9c49-9cf0-478b-96a0-4bbb02de0b81", "value": "4416e7bfbfa7318f10c8c08cff3fce5d" }, { "category": "External analysis", "comment": "EM_X86_64 - 694 - Xchecked via VT: def04ec688ac6b41580dd3a6e78445b56536ba34", "deleted": false, "disable_correlation": false, "timestamp": "1482398793", "to_ids": false, "type": "link", "uuid": "585b9c49-f154-4061-9dd2-418a02de0b81", "value": "https://www.virustotal.com/file/83160da5a4cb335ea2a9a72bc96c833cd7eab9df96a61c1d6f01e13668046b25/analysis/1482355623/" }, { "category": "Payload delivery", "comment": "EM_X86_64 - 688 - Xchecked via VT: f80836349d6e97251030190ecd30dda0047f1ee6", "deleted": false, "disable_correlation": false, "timestamp": "1482398794", "to_ids": true, "type": "sha256", "uuid": "585b9c4a-c2c4-4696-9479-47cf02de0b81", "value": "ce4bb2ce2bf66ab721b808acf9d74a7a8afddd03cbaa6aa56c7788ff7b7251bb" }, { "category": "Payload delivery", "comment": "EM_X86_64 - 688 - Xchecked via VT: f80836349d6e97251030190ecd30dda0047f1ee6", "deleted": false, "disable_correlation": false, "timestamp": "1482398794", "to_ids": true, "type": "md5", "uuid": "585b9c4a-ba88-4e51-9f22-4bab02de0b81", "value": "841eac692e4c5fb09f18c229c59a3fcb" }, { "category": "External analysis", "comment": "EM_X86_64 - 688 - Xchecked via VT: f80836349d6e97251030190ecd30dda0047f1ee6", "deleted": false, "disable_correlation": false, "timestamp": "1482398795", "to_ids": false, "type": "link", "uuid": "585b9c4b-5124-4940-b839-484202de0b81", "value": "https://www.virustotal.com/file/ce4bb2ce2bf66ab721b808acf9d74a7a8afddd03cbaa6aa56c7788ff7b7251bb/analysis/1482247676/" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1482398934", "to_ids": true, "type": "yara", "uuid": "585b9cd6-d508-4a59-bc68-4d69950d210f", "value": "rule linux_rakos\r\n{\r\n meta:\r\n description = \"Linux/Rakos.A executable\"\r\n author = \"Peter K\u00c3\u00a1lnai\"\r\n date = \"2016-12-13\"\r\n reference = \"http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/\"\r\n version = \"1\"\r\n contact = \"threatintel@eset.com\"\r\n license = \"BSD 2-Clause\"\r\n\r\n\r\n strings:\r\n $ = \"upgrade/vars.yaml\"\r\n $ = \"MUTTER\"\r\n $ = \"/tmp/.javaxxx\"\r\n $ = \"uckmydi\"\r\n\r\n condition:\r\n 3 of them\r\n}" } ] } }