A newly observed Linux Trojan is capable of self-spreading through infected websites and can recruit the infected machines into a peer-to-peer (P2P) botnet, Doctor Web researchers warn.
Security researchers from the firm Dr. Web have discovered a new Linux Trojan dubbed Linux.Rex.1 that is capable of self-spreading through infected websites composing a peer-to-peer botnet.
The threat was designed to infect web servers that use certain content management systems (CMS). The Linux.Rex.1 Trojan was written in the Go programming language and can perform a wide range of malicious activities, including sending out spam messages, launch DDoS attacks and of course spread itself over networks.
The malware was first spotted by users of the Kernelmode that noticed several attacks against websites based on Drupal CMS, for this reason, they called it Drupal ransomware.
The malware has the ability to hack websites built using Drupal by exploiting a well-known SQL injection flaw.
Now malware researchers from Dr, Web discovered that the Linux.Rex.1 was able to infect many other CMSs.
“This malware program attacks web servers that use various CMS, performs DDoS attacks, sends out spam messages, and distributes itself over networks.” states the analysis published by Dr Web.
The botnet composed of machines infected by the Linux.Rex.1 is a P2P botnet, each node of the malicious network is able to share data with peers by using a protocol implemented by the malware authors.
“Linux.Rex.1 is a Trojan that can create such P2P botnets by implementing a protocol responsible for sharing data with other infected computers. Once the Trojan is launched, a computer that has been infected starts operating as one of this network’s nodes.” continues the analysis. “The malware program receives directives over the HTTPS protocol and sends them to other botnet nodes, if necessary. When commanded by cybercriminals, Linux.Rex.1 starts or stops a DDoS attack on a specified IP address.”
The malware uses the HTTPS protocol to send/receive commands, the experts noticed a special component used by the threat to scan for websites that uses several CMSs, including the Drupal, WordPress, Magento, JetSpeed, and others.
“It also searches for network hardware that runs AirOS, and exploits known vulnerabilities in order to get hold of user lists, private SSH keys, and login credentials stored on remote servers. However, this information cannot always be obtained successfully,” reads the analysis.
In addition, the Linux.Rex.1 malware is designed to send out spam email messages to website owners, threatening them with DDoS attacks on their servers. Curiously, if the email goes to the wrong recipient, crooks ask it to redirect the message to the website owner.
Crooks requests the payment of a Bitcoin ransom to avoid being attacked.
Just a few weeks ago, experts from Doctor Web discovered another Linux malware dubbed Linux.Lady.1, which is also written in the Go programming language and that was primarily developed to infect systems for cryptocurrency mining.
[adrotate banner=”9″]
(Security Affairs – Linux malware, Linux.Rex.1)
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…
Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of…
Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can…
This website uses cookies.