Since mid-June 2022, several cyberattacks have been carried out by a new botnet called RapperBot. The botnet mainly tries to establish a foothold on Linux SSH servers by brute-forcing its way in.
This new botnet, RapperBot is completely based on the Mirai trojan, which was discovered by the cybersecurity researchers at Fortinet. However, the behavior of this malware differs from the original malware’s normal behavior.
There is tighter control over RapperBot, and it has a limited DDoS capability as well. Typically, it is used to facilitate lateral movement within a network and is used as a stepping stone during this process.
Since its discovery, the new botnet has been in the public for about 1.5 months, and it has been scanning and brute-forcing Linux SSH servers around the world.
RapperBot: A Mirai-based Botnet
There were several components of RapperBot that made it one of the most interesting forks of Mirai, and they were:-
- C2 protocol
- Unique features
- Typical post-compromise activity
RapperBot is very different from the majority of Mirai variants in that it scans only SSH servers that require password authentication and tries to brute force them.
According to the Fortinet report, There is a large amount of code within the malware that implements an SSH 2.0 client which forms the bulk of the malware code. There are a number of SSH servers that support Diffie-Hellmann key exchanges, and this can be used to connect to them and brute force them with the following keys:-
- 768-bit keys
- 2048-bit keys
- AES128-CTR (For data encryption)
Through host-unique TCP requests, a list of credentials is downloaded from the C2, and the SSH brute-forcing depends on this downloaded list. While a malware report will be sent back to the C2 once it has successfully completed the task.
In newer variants, the attacker’s SSH keys were replaced with the victim’s by using a shell command. Furthermore, RapperBot installs an additional module called SSH key appending that adds the actor’s SSH key to the host: “~/.ssh/authorized_keys.”
Having this feature allows access to the server to be maintained even after a reboot or if the malware has been removed from the server.
In later samples, to ensure that they could remain undetectable the developers of the malware incorporated some additional layers of obfuscation to the strings, such as:-
- XOR encoding
Botnets are most typically used to launch DDoS attacks or to mine coins on the network. As RapperBot has a limited set of DDoS functionality, the authors of RapperBot haven’t made it very clear what their goal is.
Essentially, this threat can be mitigated easily because it relies on brute-forced SSH credentials as its primary propagation method. Here are some recommendations that you must implement in order to mitigate this malware:-
- Set a strong and unique passwords.
- Disable password authentication for SSH.