Linux Rabbit/Rabbot malware found targeting Linux servers to install Monero miner

• The malware attacked Linux servers in Russia, South Korea, UK, and the US in the first campaign and globally in the second campaign.
• IoT devices were also targeted in the second campaign, leveraging unknown vulnerabilities.

The Linux operating system remains aloof from most malware attacks, as most attackers often target Windows systems. However, there are threats discovered from time to time that affect Linux devices as well.

Threat researchers at Anomali Labs have discovered a new malware, dubbed “Linux Rabbit” which targets Linux servers and IoT devices. The attack campaign began in August 2018 and lasted till October 2018, targeting devices in Russia, South Korea, the UK, and the US, according to the researchers.

Modus Operandi

The malware, in this case, aimed to install different Monero mining malware variants, depending on the targeted device’s architecture. Two strains of malware, named Linux Rabbit and “Rabbot”, were used in this campaign which had the same code base. Only devices in specific countries were targeted in this campaign.

The researchers at Anomali Labs listed four key functionalities of this malware:

• The ability to establish a connection with the C2 using Tor gateways.
• The ability to gain persistence over the targeted device.
• The ability to perform an SSH brute force attack to gain access to the server.
• The ability to install the appropriate version of the cryptocurrency miner on the server.

Not one but two campaigns

The researchers discovered that the attackers began the first Linux Rabbit campaign in August 2018, using a different strain of malware from the one that was used in the campaign that lasted between September 2018 to October 2018. The attackers built a self-propagating worm, dubbed Rabbot from the same code base as Linux Rabbit, which was then used for the second campaign.

There are several key differences between Linux Rabbit and Rabbot:

• Rabbot is capable of targeting IoT devices as well as Linux servers.
• Rabbot was designed to install CoinHive miners into the web pages on an infected web server, by injecting malicious JavsScript code into the server.
• Rabbot is not geographically restricted, unlike Linux Rabbit which was designed to only operate in specific countries.

The researchers provided a list of the known vulnerabilities exploited by Rabbot malware which could be helpful for developers to write patches, so as to defend against this malware strain. With the increasing number of malware discoveries for the Linux operating system in recent times, it calls for more attention from the threat research community in order to keep the reliability of Linux systems intact.