Cyber security researchers have just discovered a new malware, called “Linux Rabbit,” that targeted Linux servers and Internet-of-Things (IoT) devices in a campaign that began in August 2018 and continued until October 2018.
The campaign targeted devices in Russia, South Korea, the UK, and the US. The campaign utilizes two strains of malware that share the same code base called Linux Rabbit and “Rabbot”. The goal of this campaign is to install cryptocurrency miners onto the targeted servers and devices. The type of Monero cryptominer installed is dependent upon what the machine’s architecture is.
This campaign was conducted by unknown threat actors and it is currently unclear what the initial infection vector is. The first campaign began in August 2018 and was utilizing the Linux Rabbit malware to infect Linux systems. The Linux Rabbit malware only targeted Linux servers that were located in specific countries: Russia, South Korea, the UK, and the US. This malware has four main functionalities which are:
- Establish a connection to the Command and Control (C2) server using Tor gateways
- Setup persistence
- SSH brute force
- Installation of the cryptocurrency miner
For Linux Rabbit to establish a connection with the C2 server, it utilizes Tor hidden services to act as contact points to access a Tor gateway. The malware will randomly select one of the hidden services and then a Tor gateway to follow in order to establish an active C2 URL. The payload for the malware is then sent from the C2 server as an encoded URL parameter.
The malware’s second functionality is to gain persistence on an infected machine. This is completed through “rc.local” files and “.bashrc” files. After obtaining persistence, the next functionality of Linux Rabbit is to brute force SSH passwords which ultimately allows the malware to install the cryptocurrency miner onto the server.
Following the Linux Rabbit campaign that occurred in August 2018, a new campaign followed it from September 2018 until October 2018 that utilized a different malware strain to infect machines. This new campaign used a self-propagating worm called “Rabbot” that shared the same code base with Linux Rabbit. However, Rabbot is not limited to infecting just Linux servers like Linux Rabbit because it can also target and infect Internet-of-Things (IoT) devices via known vulnerabilities.
Both malware strains share the same code base which means they function almost exactly the same, except Rabbot will send all its payloads through an open port 80 to the Linux (web) servers, not checking to ensure that the process is successful. Since the malware will install different payloads depending on the architecture of the machine, it, in theory, does not need to check what was successfully installed or not, since one of the two cryptominers is guaranteed to run. Rabbot will also install CoinHive miners into various web pages via the infected web server by searching for “.HTML” files and inserting JavaScript files into the browser.