Linux Rabbit Worm

First observed in August 2018, Rabbit (also known as Rabbot) is a Linux-based worm targeting devices in the UK, USA, South Korea and Russia to enrol into a cryptocurrency mining campaign.

Threat ID:: CC-2835
Category:: worm
Threat Severity:: Low
Threat Vector:: Insecure network
Published:: 11 December 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

First observed in August 2018, Rabbit (also known as Rabbot) is a Linux-based worm targeting devices in the UK, USA, South Korea and Russia to enrol into a cryptocurrency mining campaign.

Affected platforms

The following platforms are known to be affected:

Linux

Linux - Most popular distributions

IoT Devices

Threat details

Rabbit identifies vulnerable devices by generating random IP addresses, verifying their location and attempting to establish an SSH connection over port 22. If successful it will then check the top-level domain (TLD) of the host, terminating the connection if the TLD matches a hard-coded blacklist, before performing a brute-force attack to gain full access.

Once Rabbit gains access to a device it will attempt to install variants of both the CNRig and CoinHive mining applications; however, only one variant will successfully install, dependant on the affected device's architecture. CNRig will install on x86-based systems, while CoinHive will only install on ARM or MIPS micro-architectures. Rabbit will also inject CoinHive scripts into HTML files on affected web servers to infect users of the server, and will attempt to remove other mining applications from affected devices.

For further information:

Remediation steps

Type	Step
	To prevent and an trojan infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and an trojan infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 17 February 2020 12:59 pm