An old, infamous trojan has been forked, with the new variant being used to attack Linux SSH servers, experts have warned.
However, unlike the original malware, whose purpose was quite clear, researchers are not yet sure what the operators are up to this time around.
Cybersecurity researchers from Fortinet detected IoT malware with unusual SSH-related strings, and after digging a bit deeper, discovered RapperBot, a variant of the dreaded Mirai trojan.
Access for sale?
RapperBot was first deployed in mid-June 2022, and is being used to brute-force into Linux SSH servers and gain persistence on the endpoints.
RapperBot borrows quite a lot from Mirai, but it does have its own command and control (C2) protocol, as well as certain unique features.
But unlike Mirai, whose goal was to spread to as many devices as possible, and then use those devices to mount devastating Distributed Denial of Service (DDoS) attacks, RapperBot is spreading with more control, and has limited (sometimes even completely disabled) DDoS capabilities.
The researchers’ first impression is that the malware might be used for lateral movement within a target network, and as the first stage in a multi-stage attack. It could be also used simply to gain access to the target devices, access which could later be sold on the black market. The researchers came to this conclusion, among other things, due to the fact that the trojan sits idly, once it compromises a device.
Whatever the endgame is, the trojan is quite active, the researchers further claim, saying that in the past month and a half, it used more than 3,500 unique IP addresses worldwide, to scan and brute-force Linux SSH servers (opens in new tab). To launch a brute-force attack, the trojan first downloads a list of credentials from its C2, via host-unique TCP requests. If it succeeds, it reports the results back to the C2.
“Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication,” Fortinet explains. “The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR.”
- Keep your web services from being overwhelmed with a little help from these industry DDos protection (opens in new tab) legends
Via: BleepingComputer (opens in new tab)