New Linux Malware Brute Force Credentials and Gain Access to SSH Servers

Since mid-June 2022, several cyberattacks have been carried out by a new botnet called RapperBot. The botnet mainly tries to establish a foothold on Linux SSH servers by brute-forcing its way in.

This new botnet, RapperBot is completely based on the Mirai trojan, which was discovered by the cybersecurity researchers at Fortinet. However, the behavior of this malware differs from the original malware’s normal behavior.

There is tighter control over RapperBot, and it has a limited DDoS capability as well. Typically, it is used to facilitate lateral movement within a network and is used as a stepping stone during this process.

Since its discovery, the new botnet has been in the public for about 1.5 months, and it has been scanning and brute-forcing Linux SSH servers around the world.

In newer variants, the attacker’s SSH keys were replaced with the victim’s by using a shell command. Furthermore, RapperBot installs an additional module called SSH key appending that adds the actor’s SSH key to the host: “~/.ssh/authorized_keys.”

Having this feature allows access to the server to be maintained even after a reboot or if the malware has been removed from the server.

In later samples, to ensure that they could remain undetectable the developers of the malware incorporated some additional layers of obfuscation to the strings, such as:-

• XOR encoding

Botnets are most typically used to launch DDoS attacks or to mine coins on the network. As RapperBot has a limited set of DDoS functionality, the authors of RapperBot haven’t made it very clear what their goal is.

Essentially, this threat can be mitigated easily because it relies on brute-forced SSH credentials as its primary propagation method. Here are some recommendations that you must implement in order to mitigate this malware:-

• Set a strong and unique passwords.
• Disable password authentication for SSH.