During the last decade, different types of malware have been targeting Linux servers; Elknot, Encoder, Mirai, LuaBot, NyaDrop, Gayfgt etc. Most of them are used for DDoS purpose but there are some exceptions. Rex is one of them. In this article, we’ll try to present a detailed analysis of Rex.
Rex is a new malware developed in Go. Monitoring its activity over the last seven months brought out the efforts for developing various features.
Rex is a hybrid between a malware and a tool. The behavior depends on a list of arguments. You can use it in two different ways:
- Scan mode: with the “scan” command line argument, the binary file uses embedded exploits to infect new Linux servers.
- Without scan mode: Rex contacts other bots through P2P protocol (DHT over HTTPS) and waits for commands.
Rex is always installed as a hidden file in the directory /tmp/, the malware does not have persistence mechanisms or any other hiding features. Quite the contrary, a help menu is available (-h).
The help menu describes all the features available for both modes (scan or c&c). Arguments details:
- Debug/log: launch the malware in debug mode, it is useful for analysis.
- Elevate: Rex can try to run itself as root by bruteforcing SSH service, you can ignore specific credentials with elevate.ignore pwd
- Ipc: we have not seen this feature used yet
- Socks: launch Rex through a socks proxy
- Strategy: configure how Rex scan IPs (random or sequential)
There are also some hidden arguments. You can use Rex as a DDoS tool with the argument "–stresser target".
The main process is used for malware communication, when the bot master sends a command, the main process forks with the command in argument.
Once upon a time… Rex – April 2016
The first version (a808a6e45d4f3837fcf30a28f6594ffff320f9b994eb35f7e915dd9d954c912c) was spotted at the end of April 2016. Due to debug logs, we know that the malware is built on “/home/ubuntu/src/rex/”.
The first version was mainly used for infecting a first group of servers. It contained several exploits but no useful features. Rex tries to infect other servers via Web based exploits (WordPress, Drupal…).
In order to exploit a remote file inclusion vulnerability, the remote file is hosted on infected machines on port 5099. I.E.: https://%s:5099/payload/php/%s/wp-gwollegb/ for gwollegb RFI exploit.
Rex infects Drupal websites via CVE-2014-3704, a SQLi that allows an attacker to change the admin password. It serves two purposes, first getting access to the server and second locking the website in order to ask for a ransom. After exploitation, Rex wrote a blogpost on the homepage with the following message: “Website is locked. Please transfer 1.4 BitCoin to address 3M6SQh8Q6d2j1B4JRCe2ESRLHT4vTDbSM9 to unlock content.”
In the first version, Drupal locker was the only “visible” feature.
- Issu panel
In this example, Rex exploits a Revslider WordPress module in order to upload a zip file Showbiz.zip / revslider.zip which contains a PHP script used for PHP verification:
If everything is ok, Rex binary file is uploaded and the server is infected.
Rex embeds a module called “Kerner” in reference to blog “Kerner on security”. This module is a Remote Code Execution in CCTV-DVR
Rex embeds 2 Jetspeed vulnerabilities (CVE-2016-0709 CVE-2016-0710). These exploits are flagged as “TODO” and are not functional yet.
“We are armada collective” – May 2016
After one month, the bot master has uploaded the first big update with an interesting feature: a Ransom note sent to the Drupal admin. (21-05-2016) 92651d4a11a43a9043a8126f2ada1e5bf1e00cb506d46c939e20f3ece93cb81d
Interesting fact with this ransom note, CloudFlare reported detection of this threat in March 2016. But we spot the first version of Rex with this ransom note at the end of May 2016.
A deeper look at the ransom note shows that it is not exactly the same; we have the same bullshit about 1Tb DDoS attacks but sender email is different (we’ve seen firstname.lastname@example.org / email@example.com and CloudFlare see firstname.lastname@example.org ).
This coincidence lets us thinks that Rex developers have done some tests with this threat before creating Rex. At this time no real DDoS feature were present in the binary file.
Three days after (24-05-2016), another update came with one real DDoS implementation, DnsAmpl.
Optimizations time – June 2016.
During June 2016 we did not notice important updates, but we have seen that the bot master has refactored the source code until the end of June.
At the end of June, Rex has implemented a complete “stresser” module. Now the malware supports many different DDoS types (HTTP, SlowLoris, DNSAmp…) and the builder moved on another machine “/home/user/src/rex/”.
“We are anonymous” – July 2016
Some days after (09-07-2016) Rex added 3 new exploits:
- Drupal RESTWS REC exploit
- Magento RCE exploit (CVE-2015-1397)
- Airos Arbitrary File Upload Exploit
The ransom note has been rewritten. Now they did not mention Armada Collective anymore but call themself “anonymous”.
The ransom note tries to be more credible, It ask for log checking. Something it could not do before because of the lack of DDoS feature. But it is not enough to earn money. We checked some bitcoin addresses and all these wallets were empty.
BTCBrute and Clicky – August 2016.
Early in August, two new important updates came. The malware size has increased of 1.5mo and now embeds a bitcoin miner based on Btcsuite and a click fraud module called “clicky”.
The click fraud part is really interesting. Rex uses the botnet to display ads hosted on a-ads.com. The game here is to use each bot for clicking on ads and earn money from advertiser. The good news is that it is easy to track ads campaign of a-ads and to retrieve nice statistics.
We have spotted three ad units: 218355 (code name "Unicorns!"), 261029 (code name "Porkupines!") and 251270 (code name "Ferries!"). Two of them are associated to the bitcoin address 1HebiSQX2WfE2kXUuva79US4zNUxcYrHjZ and the last one used 1Q6mA6ERbwmaHX1nYwkrKuDiVjCYe2xma3.
History of a fail – September 2016.
At the end of August, the first big fail of Rex starts (91164673cda591a9a4dec91ecda6dbb515d48df7b56108b5fa0053395c733188). Rex implements a feature for creating a lot of Instagram accounts, probably for social network fraud. But bypassing Instagram anti-spam is not so easy 🙂
First, Rex tries to use the botnet to create Instagram account via https://www.instagram.com/accounts/web_create_ajax/.
Each bot used his own IP to create these fakes accounts. But Instagram has some anti-spam features and all nodes of the botnet have been blacklisted in a few minutes.
One week later, due to node blacklist, Bot master has implemented a proxy socks feature in order to bypass the Instagram blacklist. This new feature results again in 2 fails:
- First implementation failed due to the length of the password.
- Second fails resides in the fact that Rex uses known proxy socks list that is already blocked by Instagram.
After one month of fails, we have not seen this feature used anymore by the bot master.
When Rex meets Mirai – October 2016
After seven months of life, the main problem with Rex is the low number of bots. Without a large botnet, it is difficult to make a real return on investment. In September 2016 (4b513dfc68fe825e5f83c51fc1a023c15bf1039e48e025a0a4f4b034dbf443b9), media put light on the Mirai botnet (IoT botnet used for DDoS).
After the leak of the source code of Mirai, Rex developer tried to implement the Mirai telnet scanner in Rex.
As usual, this first buggy version of Rex Telnet scanner was tested directly in the wild. Unfortunately for the bot master, after one week of telnet scanning, only few new victims were infected (less than 10). But now, when you want to retrieve Mirai sample via Honeypots, you have to be sure that it is not Rex ;).
At the end of October (25-10-2016) (1058cce9f28c2a3522c31b67e913f00f229c2e00977c979dd68237e184c6df79) an update now include an SSH scanner. The malware scan Internet for SSH and try to brute force services with the same passwords list than Mirai.
Last funny fact, this version includes a set of commands used for QA and benchmarking purpose. Maybe they hired a Quality Engineer.
We’ll continue to monitor all these features, the developer seems to be creative.
Crawling the botnet
As reminding, Rex use DHT P2P over HTTPS for communication. Due to certificate pining failure it is easy for us to do some man-in-the-middle on the malware and then implement a crawler. This is how looks like Rex DHT request:
As you can see, Rex uses the default Go User-Agent “Go-http-client/1.1” and sends gzip encoded requests. We know that DHT supports the following commands:
So, it is easy to implement a quick crawler. At the time of writing, despite the efforts of the bot master, the botnet is still harmless (~150 bots). Not enough for doing any significant DDoS.
We try to identify the most affected country but due to the random scan strategy this do not allow us to conclude something useful.
Linux malware is a trendy topics, we can find new families every week. The huge amount of vulnerable servers available and the absence of anti-virus attracts crooks on the Linux side. They can stay on a compromised server for several months without being detected. In the case of Rex, if they did not implement “visible” features like Drupal locker, the malware would still be hidden. Regarding how the bot master uses this botnet, we can easily conclude that it may not be part of a big cyber gang, Rex Botnet looks more like an experimental botnet. 2017 promises us some funny crapware on Linux.
Quick and dirty yara rules for VTi
List of hashes (unpacked version only)
illustration by Craig Simmons