Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Self-Spreading Linux Trojan Creates P2P Botnet

A newly observed Linux Trojan is capable of self-spreading through infected websites and can recruit the infected machines into a peer-to-peer (P2P) botnet, Doctor Web researchers warn.

A newly observed Linux Trojan is capable of self-spreading through infected websites and can recruit the infected machines into a peer-to-peer (P2P) botnet, Doctor Web researchers warn.

Detected as Linux.Rex.1, the Trojan was written in the Go programming language and can attack web servers that use various content management systems (CMS), can perform distributed denial of service (DDoS) attacks, send out spam messages, and even distribute itself over networks.

The Trojan was initially called Drupal ransomware when discovered by Kernelmode forum users, mainly because it was attacking websites built using Drupal. Now, Doctor Web researchers reveal that the Trojan was actually designed to do much more.

Unlike botnets that use a command and control (C&C) server to receive instructions, the P2P botnets like the one created by Linux.Rex.1 transmit information from one infected machine directly to another. The Trojan implements a protocol that makes the sharing of data between infected computers possible, thus turning each of the systems recruited in the botnet into a node.

The malware uses HTTPS to receive commands and, if necessary, sends them to other botnet nodes as well. The Trojan’s operators can use the botnet to launch or stop a DDoS attack on a specified IP address, the security researchers reveal. Moreover, the malware was observed using a special module to scan for websites that employ CMSs such as Drupal, WordPress, Magento, JetSpeed, and others.

“It also searches for network hardware that runs AirOS, and exploits known vulnerabilities in order to get hold of user lists, private SSH keys, and login credentials stored on remote servers. However, this information cannot always be obtained successfully,” the security researchers say.

The Trojan was also designed to send spam email messages to website owners, mostly to threaten with DDoS attacks on their servers. The botnet’s operators always attempt to redirect these messages to a website owner to extort them. The cybercriminals ask their victims to pay a ransom in Bitcoin to avoid being targeted by the aforementioned DDoS attacks.

Another feature included inside this malware is the ability to hack websites built using Drupal. For that, the Trojan leverages a known vulnerability, performs an SQL injection, and logs itself into the system. As soon as it manages to hack a site, Linux.Rex.1 loads its copy into the site and runs it, which also allows the malware to replicate itself and to distribute itself without requiring intervention from its operators.

A couple of weeks ago, Doctor Web researchers detailed Linux.Lady.1, another Trojan written in the Go programming language, which was designed to abuse infected systems for cryptocurrency mining. Several months ago, the security company discovered BackDoor.Xunpes.1, a multipurpose Trojan specifically targeting Linux machines.

Related: New Remaiten Malware Builds Botnet of Linux-Based Routers

Related: Linux Trojan Takes Screenshots Every 30 Seconds

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.