Rex, a trojan initially discovered in May 2016, targets the Linux operating system and is able to self-replicate through infected websites and uses infected machines to create a peer-to-peer botnet. This trojan was originally described as Drupal ransomware and can attack web servers that use content management systems (CMS), perform DDoS attacks, send spam, and distribute itself over networks. Additionally, Rex can hack websites built using Drupal by exploiting an SQL injection vulnerability. Rex searches for network hardware that runs AirOS to exploit known vulnerabilities in order to gain access to user lists, private SSH keys, and login credentials stored on remote servers. Cybercriminals can also use Rex to mine for cryptocurrency on infected hosts. Attackers behind this trojan have sent messages to victims claiming to be the Armada Collective gang and threatened DDoS attacks unless a ransom was paid.
- Dr. Web provides technical details on the Rex trojan, available here.