Rabbot

Rabbot is a malicious software, or malware, discovered by Anomali Labs' cyber threat researchers. It shares the same code base with another malware called Linux Rabbit. Both were used in a campaign targeting Linux servers and Internet-of-Things (IoT) devices that started in August 2018 and continued until October 2018. The campaign was primarily focused on Russia, South Korea, the UK, and the US. While both strains of malware function similarly, Rabbot is not limited to infecting just Linux servers like Linux Rabbit; it can also target and infect IoT devices. Rabbot propagates itself as a worm and has the capability to exploit known vulnerabilities in systems, with specific exploits listed in various databases such as CVE and Exploit DB. These exploits allow Rabbot to infiltrate systems and carry out its damaging activities. Once inside a system, Rabbot installs CoinHive miners into various web pages via the infected web server. This is achieved by searching for “.HTML” files and inserting JavaScript files into the browser, effectively hijacking the system's resources to mine cryptocurrency. Despite their similarities, there are key differences between Rabbot and Linux Rabbit. Unlike Linux Rabbit, Rabbot sends all its payloads through an open port 80 to the Linux web servers without checking to ensure that the process is successful. This characteristic makes Rabbot more aggressive and potentially more harmful than Linux Rabbit. Threat bulletins associated with this information provide a thorough examination of the general campaign and individual malware processes for both Linux Rabbit and Rabbot.