A two-month Monero cryptomining campaign targeted both Linux-based servers and Internet of Things devices with a newly discovered malware family called “Linux Rabbit,” researchers have reported.
The first phase commenced in August 2018 and involved the original Linux Rabbit malware, which was coded to infect Linux-based servers in Russia, South Korea, the U.K., and the U.S. The second lasted from September through October and used a self-propagating worm variant of Linux Rabbit known as Rabbot. Rabbot was developed to infect servers across a wider geographic range while also adding Linux-based IoT devices to its target list.
The Linux Rabbit family's final payload is the CNRig miner if the infected device is an x86-bit Intel machine, and the Coinhive miner if the host runs on an ARM processor or MIPS architecture. Additionally, the malware injects Coinhive script tags into all of the web server's HTML files, so that users who visit the server or its website also become infected.
According to Anomali, Linux Rabbit uses Tor hidden services and gateways to communicate with its malicious C2 server. "The payload for the malware is then sent from the C2 server as an encoded URL parameter," the blog post explains.
The malware next establishes persistence via “rc.local” files and “.bashrc” files, then employs brute-force techniques to steal SSH passwords that will allow Linux Rabbit to install the miner. Other functionalities include receiving malware updates from GitHub, detecting and deleting other miners that were previously installed on machines, and activating a kill switch.
The Rabbot variant is able to go after IoT devices as well because it can exploit a range of old vulnerabilities, including two critical code execution bugs that were found jsut this year in NUUO's NVRMini2 firmware (CVE-2018-1149) and the SonicWall Global Management System (CVE-2018-9866).