ClickCease Linux Malware 'RapperBot' Brute-forces SSH Servers - TuxCare %

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Linux Malware ‘RapperBot’ Brute-forces SSH Servers

Obanla Opeyemi

August 9, 2022 - TuxCare expert team

Threat hunters at Fortinet have uncovered a new botnet called “RapperBot.” The malware, which has been in use since mid-June 2022, has targeted Linux SSH servers using brute force attempts to gain access to a device.

Brute force attacks essentially involve “guessing” usernames and passwords to gain unauthorized access to a system.

“Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR,” the Fortinet report states.

RapperBot is used to gain initial server access, which is then used to gain lateral movement within a network. RapperBot has limited DDoS capabilities and was discovered by researchers in the wild.

According to the researchers, RapperBot has its own command and control (C2) protocols and other unique features.

To brute force systems, the malware uses a list of login credentials downloaded from the C2 host-unique TCP requests. If successful, the malware then reports back to the C2.

As part of the ongoing investigation, RapperBot uses a self-propagation mechanism via a remote binary downloader.

New strains of RapperBot use sophisticated techniques to brute force systems. In recent examples, the bot adds the root user “suhelper” on the compromised endpoints. The bot also creates a Cron job that adds the user anew every hour if an admin discovers the account and deletes it.

It is important to note that the use of RapperBot remains largely unknown, mainly because its DDoS functionality is limited, which is very strange for botnets. However, a careful investigation shows that the malware only nests and rests on the infected Linux machines.

The sources for this piece include an article in Cybersecuritynews.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023

Bitdefender releases decryptor for MegaCortex...

Bitdefender experts have created a universal decryptor for victims of...

January 20, 2023