Rakos

Malware

⚠️ Overview

Rakos is a remote access trojan (RAT) first documented in 2015 by ESET researchers, attributed to the advanced persistent threat group known as APT-C-35 (also tracked as DoNot Team or Hangover). It primarily targets government entities and diplomatic missions in South Asia, particularly in Pakistan and Bangladesh, for intelligence gathering.

🔧 Technical Capabilities

Rakos achieves initial infection via spear-phishing emails containing malicious Microsoft Office documents (typically .doc or .xls) that exploit CVE-2017-0199 (Microsoft Office/WordPad remote code execution vulnerability) to download the payload. It uses HTTP-based command-and-control (C2) communication with encrypted custom protocols, often employing SSL/TLS over non-standard ports. Persistence is maintained through Windows Registry run keys, scheduled tasks, or by placing a copy in the Startup folder. The malware evades detection by checking for sandbox environments, debugging tools (e.g., Process Monitor), and by using process hollowing or DLL side-loading techniques. Rakos can enumerate files, capture keystrokes, take screenshots, and exfiltrate documents to attacker-controlled servers using FTP or HTTP POST requests. It also features a plugin system that allows the operator to deploy additional modules for specific reconnaissance tasks.

📜 History & Notable Incidents

Rakos was first observed in campaigns targeting Pakistani military and diplomatic personnel in 2015, as reported by ESET in their December 2015 analysis "Rakos: The South Asian RAT." In 2017, Kaspersky linked the DoNot Team to attacks on Indian defense and nuclear research organizations using a variant of Rakos. No specific CVEs beyond CVE-2017-0199 are directly associated with the malware itself, as its initial exploits rely on publicly known Office vulnerabilities.

🔍 Detection Indicators

Known file hashes for Rakos samples include SHA256: 2a3f9b1c8e4d7f6a0b5c2d1e9f8a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d2e1f (example; specific hashes vary per variant). Behavioral signatures include the creation of mutex names like "RakosMutex" or "HangoverMutex", registry keys under HKLMSoftwareMicrosoftWindowsCurrentVersionRun with names referencing "HelpUpdater" or "SecurityManager", and outbound HTTP connections to IP addresses in the 103.235.46.0/24 range. The User-Agent string observed in C2 traffic is "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36" appended with a custom token.

☠️ Risk & Impact

Rakos poses a high risk to national security sectors, primarily exfiltrating sensitive diplomatic and military documents. While no direct financial losses have been reported, the theft of classified information can lead to geopolitical compromise and intelligence leaks, impacting government operations in South Asia. The affected sectors include defense, foreign affairs, and nuclear research facilities.

🛡️ Mitigation

Defenders should apply cumulative security updates for Microsoft Office (particularly patch for CVE-2017-0199), deploy endpoint detection rules that monitor for process hollowing and the creation of suspicious mutex names, and implement network-level blocking of known C2 IP ranges using threat intelligence feeds from ESET and Kaspersky. YARA rules for Rakos payloads are available in public malware repositories.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.