Linux Rabbit

Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.[1]

ID: S0362
Platforms: Linux
Version: 1.2
Created: 04 March 2019
Last Modified: 22 December 2020

Techniques Used

Domain ID Name Use
Enterprise T1110 .003 Brute Force: Password Spraying

Linux Rabbit brute forces SSH passwords in order to attempt to gain access and install its malware onto the server. [1]

Enterprise T1132 Data Encoding

Linux Rabbit sends the payload from the C2 server as an encoded URL parameter. [1]

Enterprise T1546 .004 Event Triggered Execution: Unix Shell Configuration Modification

Linux Rabbit maintains persistence on an infected machine through rc.local and .bashrc files. [1]

Enterprise T1133 External Remote Services

Linux Rabbit attempts to gain access to the server via SSH.[1]

Enterprise T1033 System Owner/User Discovery

Linux Rabbit opens a socket on port 22 and if it receives a response it attempts to obtain the machine's hostname and Top-Level Domain. [1]

Enterprise T1078 Valid Accounts

Linux Rabbit acquires valid SSH accounts through brute force. [1]