Unknown threat actors have been running a malware campaign targeting linux and IoT machines using two malware strains designed to install CNRigand CoinHive Monero cryptominers after deleting competing miners.

The cyptojacking campaign discovered by Anomali Labs ' research team ran between August and October 2018, with theLinux Rabbit initial campaign being active during August and targeting only Linux boxes, while the second one dubbed Rabbot operated from September to October, adding IoT devices to its target list.

Both Linux Rabbit and Rabbot campaigns were designed to detect the architecture of the machine they infiltrated and installed a cryptominerexecutable designed explicitly for that specific machine.

Moreover, the Linux Rabbit malware was used by the bad actors to scan for and compromise targets fromRussia, South Korea, the UK, and the US, subsequently getting in touch with its command-and-control (C2) server via aTOR encrypted communication channel.

The next step was to achieve persistence on the Linux box using rc.local and .bashrcfiles and to hack into the local SSH server with the help of a hard-coded list of credentials for brute-forcing is way into the server.

During the next step, "Linux Rabbit attempts to install both “CNRig” and “CoinHive” Monero miners onto the machine, but only one will actually successfully install depending on what type of architecture the machine is," saysAnomali Labs.

Rabbot used aself-propagating worm to find and compromise new IoT targets

Also, "If the machine is a x86-bit, it will install CNRig Monero miner and if the machine is an ARM/MISP, it will install CoinHive."

Furthermore, if it detects a web server running on the compromised Linux box, Linux Rabbit will also injectCoinHive script tags into every HTML file it finds on the server.

Additionally, as an intermediary step, the malware will also start a scanning process for other crypto miners running on the infected Linux server, deleting them before installing its own Monero miner.

The Rabbot campaign used a self-propagating malware that shares the same code with the Linux Rabbit strain, with an extra feature: the capability of infecting unpatched IoT devices with no specific geolocation requirements.

In a nutshell,Anomali Labs' discovered thatRabbot'sbehavior is identical to Linux Rabbit's with the only significant difference being that the former will drop and execute both architecture specific cryptominer payloads.

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

代码区博客精选文章
分页:12
转载请注明
本文标题:CyptoJacking Campaign Used Two Malware Strains to Target IoT and Linux Devices
本站链接:https://www.codesec.net/view/620893.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(67)