October 28, 2016
The Rex Linux malware is not as widespread and efficient as initially thought, and currently, the multi-featured Rex malware is only in command of a tiny botnet of around 150 devices.
Discovered this May, researchers initially thought this malware was a ransomware that exploited vulnerable Drupal sites to encrypt their files and ask for a ransom fee.
A later analysis released over the summer showed that the malware behind those initial infections also had many features such as the ability to launch DDoS attacks, mine for crypto-currency, talk to fellow Rex bots via the DHT P2P protocol, and self-propagate to other devices on its own.
Rex used for DDoS extortion schemes
Researchers said that the group behind this trojan used the malware more as a penetration tool, rather than a DDoS botnet. They leveraged its ability to propagate to Linux-based devices using exploits in Drupal, WordPress, and Magento sites, but also applications such as Exagrid, Apache Jetspeed, and AirOS home routers.
Once they infected these targets, the crooks would send the webmaster an email, threatening with DDoS attacks. In these emails, the Rex gang tried to pose as the infamous Armada Collective, reminiscent of a popular DDoS-for-Bitcoin extortion tactic also discovered by CloudFlare earlier in the year.
French researcher Benkow of Stormshield Security, the man who analyzed the malware over the summer, has continued to track its activity.