Join Our Popular Newsletter
Join 4,500+ Linux & Open Source Professionals!
2x a month. No spam.
Linux Malware ‘RapperBot’ Brute-forces SSH Servers
Threat hunters at Fortinet have uncovered a new botnet called “RapperBot.” The malware, which has been in use since mid-June 2022, has targeted Linux SSH servers using brute force attempts to gain access to a device.
Brute force attacks essentially involve “guessing” usernames and passwords to gain unauthorized access to a system.
“Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR,” the Fortinet report states.
RapperBot is used to gain initial server access, which is then used to gain lateral movement within a network. RapperBot has limited DDoS capabilities and was discovered by researchers in the wild.
According to the researchers, RapperBot has its own command and control (C2) protocols and other unique features.
To brute force systems, the malware uses a list of login credentials downloaded from the C2 host-unique TCP requests. If successful, the malware then reports back to the C2.
As part of the ongoing investigation, RapperBot uses a self-propagation mechanism via a remote binary downloader.
New strains of RapperBot use sophisticated techniques to brute force systems. In recent examples, the bot adds the root user “suhelper” on the compromised endpoints. The bot also creates a Cron job that adds the user anew every hour if an admin discovers the account and deletes it.
It is important to note that the use of RapperBot remains largely unknown, mainly because its DDoS functionality is limited, which is very strange for botnets. However, a careful investigation shows that the malware only nests and rests on the infected Linux machines.
The sources for this piece include an article in Cybersecuritynews.