An infamous old Trojan horse has been created, and the new variant is being used to attack Linux SSH servers, experts warn.
However, unlike the original malware, whose purpose was quite clear, researchers still don't know exactly what the operators are doing.
Fortinet cybersecurity researchers detected IoT malware with unusual SSH strings, and after digging a little deeper, they discovered RapperBot, a variant of the dreaded Mirai Trojan.
Access to sell?
RapperBot was first deployed in mid-June 2022 and is used to brute force Linux SSH servers and gain persistence across endpoints.
RapperBot is heavily based on Mirai, but has its own command and control (C2) protocol, as well as some unique features.
But unlike Mirai, whose goal was to spread to as many devices as possible and then use those devices to mount devastating distributed denial of service (DDoS) attacks, RapperBot spreads with more control and has limited (sometimes even completely) DDoS capabilities. deactivated). .
The researchers' first impression is that the malware could be used for lateral movement within a target network and as the first stage of a multi-stage attack. It could also be used simply to gain access to target devices, which could then be sold on the black market. The researchers came to this conclusion, among other things, due to the fact that the Trojan remains inactive once it has compromised a device.
Regardless of the endgame, the Trojan is quite active, the researchers further claim, stating that over the past month and a half, it has used more than 3500 unique IP addresses worldwide to brutally scan and break into Linux SSH servers (opens in a new tab). To launch a brute force attack, the Trojan first downloads a list of credentials from your C2, via single TCP requests to the host. If successful, it reports the results to C2.
"Unlike most Mirai variants, which natively force Telnet servers to use default or weak passwords, RapperBot scans and attempts to brute force SSH servers configured to accept password authentication," he explains. fortinet. "Most of the malware contains an implementation of an SSH 2.0 client that can log in and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128 -CTR".
- Keep Your Web Services From Being Overwhelmed With A Little Help From These Industry-Leading DDos Protection Legends (Opens in a new tab)
Via: BleepingComputer (Opens in a new tab)