Infosec researchers have identified a dangerous IoT (Internet of Things) malware, tracked as RapperBot. Analysis of the threat has revealed that its creators have used the source code of the infamous Mirai Botnet heavily. The Mirai threat was used in several high-profile attacks before its source code was leaked to the public in October 2016. Since then cybersecurity researchers have identified over 60 botnet and malware variants using Mirai as a basis. However, when it comes to RapperBot, the threat displays several major departures from the typical Mirai behavior.
Details about RapperBot were released in a report by security researchers recently. According to their findings, the threat has been active since June 2022 and is undergoing rapid development. The botnet threat uses brute-force tactics to gain a foothold on Linux SSH servers, unlike the more typical Mirai implementation of targeting Telnet servers.
According to the report, RapperBot is rapidly growing its enslaved SSH servers with over 3,500 unique IP addresses scanning the Internet and brute-forcing their way into new victims. RapperBot also appears to have left behind its Mira-like self-propagation techniques in favor of more persistence-based methods. As a result, the threat can remain on the infected system even after a reboot or an attempted removal by the victims.
Access to the breached servers is achieved via the addition of the operators' SSH public key. The key is injected into a specific file called '~/.ssh/authorized_keys.' Afterward, the threat actors will be able to freely connect to the server and authenticate using only the corresponding private key without the need to provide a password. This technique will maintain access to the server even if SSH credentials are updated or the SSH password authentication is disabled. In addition, by replacing the legitimate file, the cybercriminals have deleted all currently existing authorized keys, preventing legitimate users from successfully accessing the compromised SSH server via public key authentication.
The goals of RapperBot Malware's operators remain nebulous. For example, the threat actors remove the DDoS (Distributed Denial-of-Service) capabilities of the threat completely, just to reintroduce the latter, in a limited form.