Linux Rabbit

Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.[1]

ID: S0362
Platforms: Linux

Version: 1.0

Techniques Used

EnterpriseT1156.bash_profile and .bashrcLinux Rabbit maintains persistence on an infected machine through rc.local and .bashrc files.[1]
EnterpriseT1110Brute ForceLinux Rabbit brute forces SSH passwords in order to attempt to gain access and install its malware onto the server.[1]
EnterpriseT1043Commonly Used PortLinux Rabbit checks to see if an SSH server is listening on port 22.[1]
EnterpriseT1132Data EncodingLinux Rabbit sends the payload from the C2 server as an encoded URL parameter.[1]
EnterpriseT1021Remote ServicesLinux Rabbit attempts to gain access to the server via SSH.[1]
EnterpriseT1033System Owner/User DiscoveryLinux Rabbit opens a socket on port 22 and if it receives a response it attempts to obtain the machine's hostname and Top-Level Domain.[1]