Nasty Rex Linux Trojan Packs DDoS Attacks, Ransomware, And Bitcoin Miner

It seems like we have had to report on some major new hack or threat every week as of late. Black-Hat Hackers are becoming more sophisticated, while their wares are becoming more diverse and complicated. One of the latest pieces of malware, the nasty Rex Linux Trojan, packs in DDoS attacks, ransomware, and a Bitcoin miner.

Stu Gorton, CEO and Co-Founder of Forkbombus Labs, disclosed a new kind of ransomware that targeted Drupal websites this past May in an interview with Softpedia. It was not particularly effective and could easily be defeated. This particular ransomware has evolved in the last three months, however, and now is far more dangerous.


The malware is developed in Go, Google’s homegrown programming language, and uses P2P to communicate. Rex is composed of five different parts-- an attack vector, bitcoin mining, C&C Communication, ransomware, and DDoS. 

How does the attack vector work? Bots scan the Internet for vulnerable Drupal, Wordpress, and Magento websites and then drop the Rex malware onto the server. The Trojan uses the documented CVE-2014-3704 Drupalgeddon vulnerability to infect Drupal sites, Shoplift RCE bugs to target Magento websites, and security vulnerabilities in plugins such as WooCommerce, Robo Gallery, Rev Slider, WP-squirrel, Site Import, Brandfolder, Issuu Panel, and Gwolle Guestbook to infect Wordpress websites.

This ransomware uses the Kademlia P2P network on port 5099 with TLS enabled in order to communicate. The Trojan can also mine for crypto-currency, such as Bitcoin, on infected hosts. The Bitcoin miner portion also appears to be used in the DDoS attacks.

ransom letter
The ransom letter sent to the administrators of infected hosts

The ransomware known as “RansomScanner” is used to retrieve administrator contacts of the infected website, and send a DDoS threat via email. The hackers threaten to DDoS the server unless a ransom fee is paid in Bitcoin. No one is known to have been DDoS’d yet, however.

Popular anti-virus engine VirusTotal does not currently recognize the Trojan as a threat. If you are a website administrator, it's recommended to not leave out of date services Internet-facing in order to limit exposure.