Delaware, USA – December 11, 2018 – Cybersecurity experts from Anomali Labs spotted a new malware strain dubbed Rabbot targeting Linux servers and IoT devices. The first campaign started in August 2018, adversaries attacked Linux servers located in the US, South Korea, Russia and the United Kingdom with Linux Rabbit malware. The malware establishes a connection with the command and control server leveraging Tor hidden services to receive the payload as an encoded URL parameter. Then the malware gains persistence on an infected Linux server through “.bashrc” and “rc.local” files. After that Linux Rabbit brute-forces SSH passwords to install CNRig and CoinHive Monero miners onto the machine. When it infects web server, the malware also injects CoinHive script into every HTML file infecting website visitors with the cryptocurrency miner. Linux Rabbit receives updates from the GitHub and can detect other cryptocurrency miners on an infected system and delete them.
In September 2018, adversaries launched the next campaign using self-propagating worm Rabbot that is based on the code base of Linux Rabbit. The Rabbot malware has no geolocations restrictions and also infects Internet-of-Things devices via known vulnerabilities. Tor connections to the C&C servers can be uncovered using DetectTor rule pack. Also, you can leverage Brute Force Detection to spot attempts of password guessing and Web Mining Detector rule pack to detect connections to the CoinHive platform.