Linux Rabbit

Linux Rabbit is a malicious software (malware) specifically designed to exploit Linux systems. The first campaign leveraging this malware began in August 2018, targeting Linux servers located in Russia, South Korea, the UK, and the US. This malware is capable of connecting to GitHub to receive updates from threat actors, and its primary function, once persistent, is to brute force SSH passwords. This allows the malware to install a cryptocurrency miner onto the server. It tries to install either "CNRig" or "CoinHive" Monero miners, but only one will successfully install depending on the machine's architecture. A subsequent campaign ran from September to October 2018, using a different strain of malware to infect machines. This new malware, called "Rabbot", shared the same code base with Linux Rabbit, but had expanded capabilities. Unlike Linux Rabbit, which was limited to Linux servers, Rabbot could also target and infect Internet-of-Things (IoT) devices via known vulnerabilities, making it a self-propagating worm and increasing the potential scope of the attack. Detailed technical analysis of both Linux Rabbit and Rabbot can be found through ThreatStream, providing a comprehensive examination of the general campaign and individual malware processes. These threat bulletins are crucial for understanding how these malware strains operate and how they were used in these specific campaigns. As the cyber threat landscape continues to evolve, understanding and learning from past attacks like these is essential for enhancing cybersecurity measures and strategies.