Digital attackers used new malware called “Linux Rabbit” and “Rabbot” to install cryptominers on targeted devices and servers.
In August 2018, researchers at Anomali Labs came across a campaign where Linux Rabbit targeted Linux servers located in Russia, South Korea, the United Kingdom and the United States. The malware began by using Tor hidden services to contact its command and control (C&C) server. After achieving persistence through “rc.local” files and “.bashrc” files, Linux Rabbit then set to work to brute forcing SSH passwords. If successful, the threat then attempted to install its payloads: the CNRig and CoinHive Monero miners.
The architecture of the targeted machine limited Linux Rabbit to installing only one of these miners successfully. The malware installed CNRig in the event the machine was x86-bit, for example. As for CoinHive, Linux Rabbit could install this machine only if it was an ARM/MISP.