Rex Linux Trojan, A New Multipackage Malware Spotted – Ransomware And Bitcoin Miner
Hackers these days are getting smarter and their products becoming more notorious and complicated. One such example is a recently discovered malware, Rex Linux Trojan which packs in DDoS attacks, ransomware and a Bitcoin miner.
The hack was originally discovered a few months ago by Stu Gorton, CEO and Co-Founder of Forkbombus Labs. Initially it was just a ransomware that targeted Drupal websites and was easily defeated. However, ever since then the ransomware has undergone multiple evolutions over the past three months.
The new version of this malware is developed using Google’s very own programming language, Go and uses peer to peer connection to communicate. Rex is composed of five different parts–an attack vector, bitcoin mining, C&C Communication, ransomware, and DDoS.
The bots in the malware scan the Internet for vulnerable Durpal, WordPress and Magento powered websites and then drops the malware onto their server. Drupal sites are affected by VE-2014-3704 Drupalgeddon, Magento websites by Shoplift RCE bugs and security vulnerabilities in plugins like WooCommerce, Robo Gallary and Site Import are exploited for WordPress powered websites.
The Rex Linux Trojan also contains capability to mine for crypto-currency such as Bitcoin and the Bitcoin miner portion of the hack also helps in DDoS attacks.
The ransomware known as “RansomScanner” is used to retrieve administrator contacts of the infected website, and send a DDoS threat via email. The hackers threaten to DDoS the server unless a ransom fee is paid in Bitcoin. No one is known to have been DDoS’d yet, however.
So far, there doesn’t seem to be a solution for this even from popular anti-virus tools like VirusTotal where it doesn’t even register as a threat. Perhaps the only way to avoid this Trojan for right now is to website administrators and owners to be extremely vigilant and not leave any vulnerabilities open and ensure all their Internet related services are up to date.