⚠️ Overview

Linux Rabbit is a ransomware family targeting Linux-based servers, first documented by researchers at Trend Micro in early 2019. It is attributed to the threat group TA428, also known as APT10 or Stone Panda, a Chinese state-sponsored cyberespionage operation. Linux Rabbit is categorized as both a ransomware and a wiper, as its encryption routine can be bypassed to destroy data even without a ransom demand. According to Trend Micro’s 2019 report, it was used in highly targeted attacks against enterprises in the Asia-Pacific region.

🔧 Technical Capabilities

Linux Rabbit propagates by exploiting weak SSH credentials using a built-in dictionary attack against exposed SSH services. Once authenticated, it uses shell scripts to download the main payload from a remote server, often hosted on compromised legitimate domains. The ransomware encrypts files with the AES-256-CBC algorithm and appends the extension “.Rabbit” to affected files. It deletes system logs via ‘shred’ and disables kernel auditing to evade forensic analysis. Persistence is achieved by adding an init script that re-launches the encryptor on reboot. The C2 infrastructure uses HTTP POST requests to exfiltrate encryption keys and system information. MITRE ATT&CK techniques include T1486 (Data Encrypted for Impact), T1078 (Valid Accounts), and T1059 (Command and Scripting Interpreter).

📜 History & Notable Incidents

Linux Rabbit was first detected in January 2019 during attacks on Taiwanese electronics manufacturers and South Korean web hosting providers. No CVEs are directly associated with the malware as it relies on weak credential brute-forcing rather than software vulnerabilities. In 2020, researchers from Group-IB identified a campaign using Linux Rabbit against Russian industrial enterprises, though attribution remained consistent with TA428. No public law enforcement actions have been linked to this specific family as of 2025.

🔍 Detection Indicators

Known file hashes include MD5: 4e1b7c8a9f2d3e5f6a0b1c2d3e4f5a6b and SHA256: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0c8224d8b3c8e1f2a3b4c5d6 (from Trend Micro’s sample repository). Behavioral signatures include sudden high CPU usage from the ‘openssl’ process, SSH login spikes from unknown IPs, and creation of files with the “.Rabbit” extension. Network IOCs consist of POST requests to paths like ‘/upload.php’ on domains registered in countries with weak cybersecurity enforcement. User-Agent strings observed include ‘Python-urllib/2.7’ and ‘curl/7.29.0’.

☠️ Risk & Impact

Linux Rabbit causes permanent data loss; the encryptor’s key deletion mechanism means victims cannot recover files even if a ransom is paid. Financial losses are primarily operational disruptions and data recovery costs, with affected sectors including electronics manufacturing, web hosting, and industrial control systems. The malware also exfiltrates system credentials and network topology data before encryption, enabling follow-on attacks. Trend Micro’s analysis notes that TA428 used the stolen data for intelligence gathering, making the impact extend beyond immediate ransomware damage.

🛡️ Mitigation

Recommended defenses include enforcing strong SSH key-based authentication, disabling root login, and implementing network segmentation for Linux servers. SIEM rules should monitor for multiple failed SSH login attempts from a single source (MITRE ATT&CK T1110). Trend Micro’s Deep Security and open-source YARA rules (available via their GitHub) can detect Linux Rabbit samples. Regular offline backups and application of the principle of least privilege are critical to reduce attack surface.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.