The RapperBot botnet is being utilised by its operators to conduct brute-force attacks against its targets that started a couple of months ago. The campaign’s objective is to create an entry into the Linux SSH servers to acquire access to its devices.
The newly discovered botnet was uncovered by researchers who spotted some uncommon SSH-related strings. According to the analysis, the bot has a self-propagating function via a remote binary downloader already removed last month by its operators.
Moreover, the bot developers included extra layers of obfuscations to the string in later examined samples of RapperBot.
RapperBot has shown signs that it was based on the Mirai trojan.
The study on the RapperBot sample showed that it had overlapped some of the Mirai trojan’s abilities. However, there are several apparent differences between the two malware strains. Mirai tends to spread uncontrollably in the infected system, whereas RapperBot’s attack appears tightly controlled by its operators.
One and a half months after its identification, the RapperBot has already abused over 3,500 unique IPs worldwide to scan and try brute-force Linux SSH servers. The attack includes limited distributed denial-of-service capabilities, and its operation is targeted at initial server access.
The attackers could also utilise the botnet as the first step for lateral movement across the infected network. Moreover, RapperBot functions as a general IoT malware and targets different infrastructures such as MIPS, x86, and SPARC.
For the botnet’s persistence, its latest variant has a shell command feature that replaces the victim’s SSH keys with the threat actor’s keys. This method is maintained by the bot even after an SSH password reset.
Subsequently, RapperBot includes the attacker’s SSH key to the host to maintain access to the targeted server between reboots. The most recent sample of the attack showed that the bot adds a root user on infected endpoints and develops a Cron job to reconnect with the user every hour if the admin discovers the account and removes it.
The latest botnets in the wild have displayed the ability to carry out DDoS or operating coin-mining attacks. Therefore, organisations should constantly update their apps and operating systems and fix flaws to mitigate the damages posed by these botnets.
