Unknown threat actors have been running a malware campaign targeting linux and IoT machines using two malware strains designed to install CNRigand CoinHive Monero cryptominers after deleting competing miners.

The cyptojacking campaign discovered by Anomali Labs ' research team ran between August and October 2018, with theLinux Rabbit initial campaign being active during August and targeting only Linux boxes, while the second one dubbed Rabbot operated from September to October, adding IoT devices to its target list.

Both Linux Rabbit and Rabbot campaigns were designed to detect the architecture of the machine they infiltrated and installed a cryptominerexecutable designed explicitly for that specific machine.

Moreover, the Linux Rabbit malware was used by the bad actors to scan for and compromise targets fromRussia, South Korea, the UK, and the US, subsequently getting in touch with its command-and-control (C2) server via aTOR encrypted communication channel.

The next step was to achieve persistence on the Linux box using rc.local and .bashrcfiles and to hack into the local SSH server with the help of a hard-coded list of credentials for brute-forcing is way into the server.

During the next step, "Linux Rabbit attempts to install both “CNRig” and “CoinHive” Monero miners onto the machine, but only one will actually successfully install depending on what type of architecture the machine is," saysAnomali Labs.

Rabbot used aself-propagating worm to find and compromise new IoT targets

Also, "If the machine is a x86-bit, it will install CNRig Monero miner and if the machine is an ARM/MISP, it will install CoinHive."

Furthermore, if it detects a web server running on the compromised Linux box, Linux Rabbit will also injectCoinHive script tags into every HTML file it finds on the server.

Additionally, as an intermediary step, the malware will also start a scanning process for other crypto miners running on the infected Linux server, deleting them before installing its own Monero miner.

The Rabbot campaign used a self-propagating malware that shares the same code with the Linux Rabbit strain, with an extra feature: the capability of infecting unpatched IoT devices with no specific geolocation requirements.

In a nutshell,Anomali Labs' discovered thatRabbot'sbehavior is identical to Linux Rabbit's with the only significant difference being that the former will drop and execute both architecture specific cryptominer payloads.

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

本文标题:CyptoJacking Campaign Used Two Malware Strains to Target IoT and Linux Devices

技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(67)