Introduction:
RapperBot, a new Mirai variant, is the latest example of malware spreading through unusual or previously unknown attack vectors.
RapperBot first emerged last year as Internet of Things (IoT) malware that contained big amounts of Mirai source code but had significantly different capabilities than other Mirai variants. Differences included the use of a new command-and-control (C2) protocol and the built-in ability to brute-force SSH servers instead of the Telnet service common in Mirai variants.
What is the matter?
Fortinet researchers who tracked the malware last year noticed its makers continually changing it, first by adding code to ensure persistence on compromised systems even after a reboot, and then by adding code for self-propagation through a remote binary downloader. The malware writers later eliminated the self-propagation feature and replaced it with one that enabled them persistent remote access to brute-forced SSH servers.
Kaspersky researchers discovered a new RapperBot variant that went public in Q4 2022. This variant removes the SSH brute force functionality and replaces it with the Telnet server targeting functionality.
According to Kaspersky's inspection of the malware, it also had an "intelligent" and relatively unusual function for brute-forcing telnet. Rather than brute-forcing with a large number of credentials, the malware analyzes the prompts received when it telnets to a device and selects the proper set of credentials for a brute-force attack based on that. When compared to many other malware options, this greatly speeds up the brute-forcing process, according to Kaspersky.
"When you telnet to a device, you typically get a prompt," explains Jornt van der Wiel, a senior security researcher at Kaspersky. According to RapperBot, the prompt can expose certain information that it uses to determine which device to attack and which credentials to utilize.
He claims RapperBot uses different credentials depending on the IoT device it attacks. “So it uses user/password set A for device A and user/password set B for device B,” explains van der Wiel. The malware then uses commands such as 'wget', 'curl' and 'ftpget' to download itself to the target system. If none of these techniques succeeds, the malware downloads and installs itself on the device, according to Kaspersky.
RapperBot's brute force technique is unusual, and van der Weil said he is not aware of any other malware variants that use it.
The Unseen Tactic:
RapperBot is one example of malware that uses unusual and often previously unknown tactics to spread, according to Kaspersky. Another example is Rhadamanthys, an information stealer offered as malware-as-a-service on Russian-language forums for cybercriminals. Info-Stealer belongs to an increasing number of malware families distributed by attackers using malicious advertisements.
Attackers post ads on online advertising platforms that contain malware or links to phishing sites. Advertisements are often legitimate software products or programs that contain keywords that ensure they appear higher in search engine results or when visiting a particular website. Attackers have recently targeted users of popular password managers such as LastPass, Bitwarden, and 1Password using so-called “malicious advertising.”
The increasing success of attackers using malvertising scams is driving the deployment of strategies. For example, the creator of Rhadamanthys used phishing and spamming emails as the first infection vector before resorting to malicious advertising. “Rhadamanthys is no different than any other malvertising campaign,” explains van der Weil. Another trend identified by Kaspersky is the increased use of open-source malware by inexperienced attackers.
Consider CueMiner, a GitHub downloader for coin-mining malware. According to Kaspersky researchers, attackers used trojanized copies of cracked software downloaded over BitTorrent or OneDrive sharing networks to spread infections.
“It's open source, so anyone can download it and compile it,” van der Weil explains. “These users are typically not highly skilled cybercriminals, so they have to rely on relatively simple infection mechanisms such as BitTorrent and OneDrive.”
Please do not enter any spam link in the comment box.