Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Our partner program is designed with flexibility in mind for partners who are at various stages of their business lifecycle. With financial investment and dedicated resources, you will continue to grow with TuxCare.
Would you like to work with a leader in open source and Linux security that values innovation and partnerships?
Partners receive benefits that are designed to reward the commitment that they have made to the sale of our products and services.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
August 9, 2022
linux, Vulnerability
Threat hunters at Fortinet have uncovered a new botnet called “RapperBot.” The malware, which has been in use since mid-June 2022, has targeted Linux SSH servers using brute force attempts to gain access to a device.
Brute force attacks essentially involve “guessing” usernames and passwords to gain unauthorized access to a system.
“Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR,” the Fortinet report states.
RapperBot is used to gain initial server access, which is then used to gain lateral movement within a network. RapperBot has limited DDoS capabilities and was discovered by researchers in the wild.
According to the researchers, RapperBot has its own command and control (C2) protocols and other unique features.
To brute force systems, the malware uses a list of login credentials downloaded from the C2 host-unique TCP requests. If successful, the malware then reports back to the C2.
As part of the ongoing investigation, RapperBot uses a self-propagation mechanism via a remote binary downloader.
New strains of RapperBot use sophisticated techniques to brute force systems. In recent examples, the bot adds the root user “suhelper” on the compromised endpoints. The bot also creates a Cron job that adds the user anew every hour if an admin discovers the account and deletes it.
It is important to note that the use of RapperBot remains largely unknown, mainly because its DDoS functionality is limited, which is very strange for botnets. However, a careful investigation shows that the malware only nests and rests on the infected Linux machines.
The sources for this piece include an article in Cybersecuritynews.
Tell us your challenges and our experts will help you find the best approach to address them with the TuxCare product line.
Tech Support
Login
Contact Us