Security researchers from Anomali Labs have discovered a new malware dubbed “Linux Rabbit” that has targeted Linux servers and Internet-of-Things (IoT) devices in Russia, South Korea, the UK, and the US.
The cyber campaign was first spotted in August 2018 and continued through October 2018. According to Anomali Labs, the campaign uses two strains of malware that share the same code base called Linux Rabbit and “Rabbot”.
The objective of the Linux Rabbit and Rabbot campaign is to install cryptocurrency miners, such as “CNRig” and “CoinHive” Monero, on target devices.
According to the report, Linux Rabbit malware uses Tor gateway to establish a connection to the Command and Control (C2) server.
“The malware will randomly select one of the hidden services and then a Tor gateway to follow in order to establish an active C2 URL. The payload for the malware is then sent from the C2 server as an encoded URL parameter,” the report noted.
The malware also establishes persistence on victim’s system via “rc.local” files and “.bashrc” files. Once persistence is established, Linux Rabbit attempts to brute force SSH passwords and then install the cryptocurrency miner onto the system.
An excerpt of the SSH brute force attack threat from the Anomali report:
“The SSH brute forcing begins by the malware first generating a random IPv4 string and checking its geolocation to see where it is located. If the IP is located within a country that is ‘blacklisted,’ it will stop and move on until it finds an IP that is located in an allowed geolocation, which for this malware are Russia, South Korea, the UK, and the US. Once an allowed IP location is discovered, Linux Rabbit will check to see if an SSH server is listening on Port 22. The malware will open a socket to see if it receives a response, and if it does, it will attempt to obtain the machine’s hostname. Interestingly, this malware will also check the Top-Level Domain (TLD) of a host, and will skip any TLD that is blacklisted. Many of the blacklisted TLDs are government-related sites in a variety of countries. If the TLD is not blacklisted, the malware will run through a process of authentication utilizing a list of hard-coded credentials it has. The first two authentication certifications are to ensure that the malware is not in a ‘honey pot’. This is likely to avoid static analysis of the malware.”
The report concludes that a new campaign followed from September through October this year that uses a different malware strain to infect systems. The new campaign uses “Rabbot,” a self-propagating worm that shares the same code base with Linux Rabbit.
Rabbot can also infect IoT devices, in addition to Linux systems, by exploiting known vulnerabilities.
Some of the vulnerabilities Rabbot is known to exploit include: CVE-2018-1149, CVE-2018-9866, CVE-2017-6884, CVE-2016-0792 and CVE-2015-2051.