CyptoJacking Campaign Used Two Malware Strains to Target IoT and Linux Devices

[silversurfer]

Unknown threat actors have been running a malware campaign targeting Linux and IoT machines using two malware strains designed to install CNRig and CoinHive Monero cryptominers after deleting competing miners.

The cyptojacking campaign discovered by Anomali Labs' research team ran between August and October 2018, with the Linux Rabbit initial campaign being active during August and targeting only Linux boxes, while the second one dubbed Rabbot operated from September to October, adding IoT devices to its target list.

Both Linux Rabbit and Rabbot campaigns were designed to detect the architecture of the machine they infiltrated and installed a cryptominer executable designed explicitly for that specific machine.

Moreover, the Linux Rabbit malware was used by the bad actors to scan for and compromise targets from Russia, South Korea, the UK, and the US, subsequently getting in touch with its command-and-control (C2) server via a TOR encrypted communication channel.

The next step was to achieve persistence on the Linux box using rc.local and .bashrc files and to hack into the local SSH server with the help of a hard-coded list of credentials for brute-forcing is way into the server.

Source: https://news.softpedia.com/news/cyptojac...4153.shtml