The botnet remains in the system even after removal, but it does not harm the device.
A new botnet called “RapperBot” has been used in attacks since mid-2022, focusing on brute force Linux SSH servers to gain a foothold on the device.
According to a report by Fortinet researchers, RapperBot is based on the Mirai trojan, but differs from it in tighter controls and limited capabilities. RapperBot is focused on initial access to the server, which can be used as a springboard for lateral movement in the network.
In the 1.5 months since its discovery, the new botnet has used over 3,500 unique IP addresses around the world to scan and attempt to hack into Linux SSH servers.
“Unlike most Mirai variants that initially brute force Telnet servers with standard or weak passwords, RapperBot scans and attempts to brute force SSH servers configured to accept password authentication. Brute-force is based on a list of credentials loaded from C2 via unique host TCP requests,” the Fortinet report explains.
Experts noticed that RapperBot used a self-propagation mechanism through a remote binary file downloader, which was removed by attackers in mid-July.
The botnet also uses a shell command that replaces the victim’s SSH keys with the hacker’s keys to stay logged in even after changing the SSH password, rebooting the device, or removing malware.
In the most recent samples discovered, the bot adds the root user “suhelper” to the compromised device and creates a Cron job that re-adds the user every hour in case an administrator detects the account and removes it.
Attack RapperBot
Also, in more recent samples, botnet operators have added additional levels of obfuscation to strings, such as XOR encoding.
The goals of RapperBot are unclear, however, The removal of the self-propagation feature and the addition of persistence mechanisms indicate that botnet operators are interested in selling the product to other ransomware.
Fortinet analysts found no additional payloads after the compromise, so the malware simply exists on infected Linux hosts and lies dormant.