Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
August 9, 2022 - TuxCare expert team
Threat hunters at Fortinet have uncovered a new botnet called “RapperBot.” The malware, which has been in use since mid-June 2022, has targeted Linux SSH servers using brute force attempts to gain access to a device.
Brute force attacks essentially involve “guessing” usernames and passwords to gain unauthorized access to a system.
“Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR,” the Fortinet report states.
RapperBot is used to gain initial server access, which is then used to gain lateral movement within a network. RapperBot has limited DDoS capabilities and was discovered by researchers in the wild.
According to the researchers, RapperBot has its own command and control (C2) protocols and other unique features.
To brute force systems, the malware uses a list of login credentials downloaded from the C2 host-unique TCP requests. If successful, the malware then reports back to the C2.
As part of the ongoing investigation, RapperBot uses a self-propagation mechanism via a remote binary downloader.
New strains of RapperBot use sophisticated techniques to brute force systems. In recent examples, the bot adds the root user “suhelper” on the compromised endpoints. The bot also creates a Cron job that adds the user anew every hour if an admin discovers the account and deletes it.
It is important to note that the use of RapperBot remains largely unknown, mainly because its DDoS functionality is limited, which is very strange for botnets. However, a careful investigation shows that the malware only nests and rests on the infected Linux machines.
The sources for this piece include an article in Cybersecuritynews.
Learn About Live Patching with TuxCare
Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...
Deep Instinct researchers reported that RATs like StrRAT and Ratty...
According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...
A remote attacker could exploit multiple vulnerabilities in four Cisco...
In a notable IcedID malware attack, the assailant impacted the...
Bitdefender experts have created a universal decryptor for victims of...