A new botnet has been observed targeting Linux devices by launching brute-forcing attacks on weak or default credentials in order to gain access to SSH servers. Researchers said the botnet’s persistence features and limited distributed denial-of-service (DDoS) capabilities both set it apart from other IoT malware families and also make its primary motivations a mystery.
The malware, named “RapperBot” by researchers due to a URL to YouTube rap music video found embedded in older samples, has rapidly evolved in its capabilities since it was first discovered in mid-June. Since then, researchers said they observed 3,500 unique IPs attempting to scan and brute-force SSH servers with the botnet’s client identification string, mostly made up of IPs from the U.S., Taiwan, and South Korea.
“We discovered that this malware family… is designed to function primarily as an SSH brute forcer with limited DDoS capabilities,” said Joie Salvio and Roy Tay with Fortinet’s Fortiguard Labs in an analysis this week. “As is typical of most IoT malware, it targets ARM, MIPS, SPARC, and x86 architectures.”
While the family borrows from the original Mirai source code - which has been online since 2017 and has led to the emergence of several different botnet variants - its features and implementation details are significantly different from other Mirai-based variants, said researchers. For instance, its built-in brute-force attack capabilities for SSH servers separates it from other IoT malware families and Mirai itself, which instead aim to launch brute-force attacks against Telnet servers that rely on weak passwords.
The botnet has also undergone several changes over the past month. While earlier samples had strings in plaintext, subsequent samples built extra obfuscation onto the strings and implemented an additional layer of XOR encoding to disguise the strings from memory scanners during execution. And in more recent samples the botnet’s developers started adding code to maintain persistence so that the threat actors have continual access to infected devices via SSH, even after the device has been rebooted, which researchers said is not something that’s typically been done in other Mirai variants.
“Apart from maintaining access to every SSH server that it brute forces, RapperBot is also very intent on retaining its foothold on any devices on which it is executed,” said researchers. “Samples from mid-July append the same aforementioned SSH key to the local "~/.ssh/authorized_keys" on the infected device upon execution. This allows RapperBot to maintain its access to these infected devices via SSH even after a device reboot or the removal of RapperBot from the device – something that is atypical to most Mirai variants.”
Additionally, while earlier samples included a brute-forcing credential list that was hardcoded in the binary, later samples retrieved the list from another port on the C2 server, allowing attackers to add SSH credentials without continually needing to update infected devices. Researchers also found some samples in late July attempting to self-propagate after compromise through a remote binary downloader; however, this functionality was removed a few days later and has not been seen in more recent samples.
These “curious changes” made to the botnet have shrouded the botnet’s motivations in mystery. RapperBot’s limited capabilities for DDoS (a typical type of attack that botnets are leveraged for) and lack of additional payloads delivered after the brute forcing takes place have left researchers questioning whether its developers are more interested in expanding their botnet for further nefarious means or simply collecting compromised SSH devices.
“At one point, samples were observed where the DDoS attack capabilities were entirely removed and added back a week later,” said researchers. “Could the DDoS functionality have been retained for masquerading as a typical DDoS botnet to avoid drawing too much attention? It is also possible that this whole campaign is still a work in progress.”
Regardless of the botnet’s motives, researchers recommend that end users set strong passwords for devices, or disable password authentication for SSH where possible, in order to block off RapperBot’s main tactic for propagation (brute-forcing attacks on SSH credentials).