‘RapperBot’ Botnet Uses Brute Force To Gain Access To Linux SSH Servers

Share post:

Threat hunters at Fortinet have discovered a new botnet called “RapperBot” that brute-forces its way into Linux SSH servers.

The botnet has used more than 3,500 unique IP addresses worldwide to scan and brute-force Linux SSH servers since it was first used in attacks in mid-June 2022.

RapperBot was discovered after researchers noticed that the IoT malware had some unusual SSH-related strings. Further research shows that RapperBot is a Mirai fork that comes with its own command and control (C2) protocol, unique features and atypical (for a botnet) post-compromise activity.

To brute-force SSH, the botnet relies on a list of credentials downloaded from the C2 via host-unique TCP requests, which are reported back to the C2 after intrusion.

“Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR,” the Fortinet report states.

The goal of RapperBot, however, remains unknown, as the authors kept its DDoS functionality limited and even removed an re-introduced them at some point.

However, the elimination of self-propagation and the addition of persistence and detection avoidance mechanisms show that the operators of the botnet might be interested in selling initial access to ransomware actors.

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

North Korean Job Scam Targeting IT Job Seekers

North Korea’s Lazarus advanced persistent threat (APT) group has launched a sophisticated campaign, “Operation 99,” targeting freelance software...

Hackers Exploit FastHTTP in High-Speed Microsoft 365 Attacks

Threat actors are employing the FastHTTP Go library to launch high-speed brute-force password attacks on Microsoft 365 accounts...

YouTubers Targeted As Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

Attackers have found a new way to infect people seeking pirated or cracked software: planting malicious download links...

New macOS Malware Exploits Apple’s Security Features to Stay Hidden and Steal User Data

A newly discovered variant of the Banshee macOS Stealer malware is putting 100 million Apple users at risk...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways