A botnet named RapperBot is being used in a brute-force attack that has been ongoing since mid-June. The aim is to make a way into Linux SSH servers to get access to devices. The botnet was discovered by Fortinet, who noticed some unusual SSH-related strings and decided to examine it. They spotted a self-propagation feature in the bot using a remote binary downloader that was removed in mid-July. The bot authors added extra layers of obfuscation to the strings in later observed samples, such as XOR encoding. According to researchers, RapperBot is based on the Mirai trojan, yet it is different from the original malware. Mirai spreads uncontrollably, leading to the infection of as many devices as possible. However, RapperBot’s attack is more tightly controlled. The RapperBot botnet has already used over 3,500 unique IPs around the world to scan and attempt to brute-force Linux SSH servers. It comes with limited DDoS capabilities, and its operation is aimed at initial server access. It could also be used as a first step for lateral movement inside a network. The botnet functions as a general IoT malware and targets different architectures, including SPARC, MIPS, and x86. Out of the multiple variants found, the latest variants of the bot feature a shell command that replaces the victim’s SSH keys with the attacker’s to establish persistence, which is maintained even after an SSH password reset. RapperBot also adds the attacker’s SSH key to the host’s ~/.ssh/authorized_keys to maintain access on the server between reboots. In the most recent samples, the bot adds the root user ‘suhelper’ on infected endpoints and creates a Cron job to re-add the user every hour if the admin spots the account and deletes it.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in