The number of attacks on computers is increasing almost exponentially these days. The latest one to make news is the Rex Linux Trojan. This “Swiss knife” of a malicious program is a piece of work capable of running DDoS attacks, hold the infected computer for ransom (ransomware) and even mine Bitcoin without the user’s knowledge.
Built on Google’s Go platform, the Trojan was first identified by cyber security firms three months ago. The earlier version of Rex Linux Trojan was much weaker and it was found targeting Drupal websites. Security experts were able to defeat the ransomware easily. However, Rex Linux Trojan as evolved since then to become a considerable threat.
According to reports, the malware uses peer to peer communication network and has 5 major parts and it is capable of attacking more than just CMS platforms like Drupal. The different parts of Rex Linux Trojan include an attack vector, Bitcoin mining capability, Command and Control Communication, ransomware and DDoS attack.
The malware is delivered by bots scanning the internet for vulnerable websites. It is found to take advantage of multiple well-known security vulnerabilities of the platforms. Rex Linux Trojan makes use of CVE-2014-3704 Drupalgeddon vulnerability for infecting Drupal based web platforms. Similarly, Magento based websites are targeted using Shoplift RCE bugs. Many plugins on WordPress are found to be vulnerable to Rex Linux Trojan. Some of the compromised plugins include WooCommerce, Robo Gallery, Rev Slider, WP-Squirrel, Site Import, Brandfolder, Issuu Panel and Gwolle Guestbook.
Once infected, the ransomware scans the database using “RansomScanner” to retrieve the administrator’s email address. Upon retrieving the contact information, Rex Linux Trojan sends an email demanding a Bitcoin ransom to be paid in order to prevent the site from coming under a DDoS attack. The cryptocurrency mining portion of the ransomware is also used to launch DDoS attacks on infected websites.
It is found that the communication between ransomware and its Command and Control server happens through Kademlia P2P network on port 5099. While the cybersecurity platforms consider this to be a significant development, it is still not listed as a serious threat due to lack of reported DDoS incidents involving this ransomware yet.
Recently, a Russian antivirus company Doctor Web announced the discovery of Linux.Lady. Linux.Lady is also a Trojan built on Google Go, targeting Linux servers running Redis NoSQL database. Once infected, the malware turns the machine into cryptocurrency miners.
Website administrators are advised to update all the services to patch any known security vulnerabilities on their websites. This is expected to protect them from Rex Linux Trojan at the moment.