Experts have cautioned that an old, known malware has been cloned and is now being used to target Linux SSH servers.
This time around, unlike the initial infection, analysts don’t know exactly what the hackers are up to.
IoT malware containing strange SSH-related strings was identified by Fortinet security researchers. They dug a little more and discovered RapperBot, which is a variation of the deadly Mirai virus.
Is there a way to buy access?
As of June 2022, RapperBot has been installed on Linux SSH servers and is being used to brute-force into them.
Much to Mirai, RapperBot has its own command and control (C2) protocol, as well as several characteristics that make it stand out.
RapperBot, in contrast to Mirai, spreads with more control and has restricted (often even deactivated) DDoS capabilities, while Mirai’s purpose was to spread to as many devices as possible and then exploit those machines to execute destructive DDoS assaults.
Malware may be employed as the initial step of a multi-stage assault, according to experts. It may also be used to acquire access to the target devices, which can then be sold on the black market. Due to the fact that the Trojan sits passively after it has infiltrated a device, experts arrived to this conclusion.
The researchers also claim that the malware is highly active, using more than 3,500 distinct IP addresses globally, to scan and brute-force Linux SSH servers in the previous month and a half (opens in new tab). In order to execute a brute-force assault, the Trojan first obtains a list of credentials from its C2 using host-unique TCP requests. If it is successful, the C2 will be informed of the findings.
“Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication,” Fortinet explains. “The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR.”
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover