FortiGuard Labs recently reported on RapperBot, a malware family with a built-in capability to brute force credentials and gain access to SSH servers.
- RapperBot targets Linux-based IoT devices with ARM, MIPS, SPARC, and x86 architectures.
- RapperBot brute forces SSH server credentials and has limited DDoS capabilities.
- Newer variants of RapperBot allow threat actors to maintain persistence on a victim machine.
RapperBot is a malware family targeting Linux-based IoT devices and has been active since at least June 2022. It is based on Mirai, but unlike Mirai, it has a built-in capability to brute force credentials and gains access to SSH servers instead of using Telnet. RapperBot also has limited DDoS capabilities, leveraging plain UDP and TCP STOMP flood attacks.
According to FortiGuard Labs researchers, RapperBot’s developers appear to be adding code to maintain persistence. This gives threat actors continued access to victim machines via SSH, even if the device is rebooted or the malware is removed. Early RapperBot samples included an embedded URL to a rap music video that was not observed in later samples.
RapperBot is used primarily to brute force credentials, using an SSH 2.0 client that can brute force any SSH server implementing Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR. RapperBot uses SSH-2.0-HELLOWORLD to identify itself to the targeted SSH server.
RapperBot uses TCP requests at separate ports to communicate with the C2 to receive commands, download credential lists, or send credentials. In the samples, FortiGuard analyzed, the port used was 443. Each request uses a 32-byte value hard coded as a bot ID. The bot IDs from the samples FortiGuard analyzed were:
- d4 1c 74 44 70 95 28 ff f0 98 ae 4e 6f 92 ba d5 0f cd 56 29 c5 12 53 a1 fe 46 53 c7 0b b5 18 27
- f6 b7 0b 00 14 77 35 f9 8d 6d 5d c4 bd 23 88 7e cf 5e 02 ce 54 5f e7 b1 e6 3f 2a 16 71 b6 eb
Some samples of RapperBot reported credentials to the C2 after successfully brute forcing a server without executing further commands on the victim machine. Other samples were self-propagated using a remote binary downloader post-compromise.
More recent samples no longer self-propagate but seek to maintain remote access on the victim machine. RapperBot does this by running a shell command to replace a remote victim’s ~/.ssh/authorized_keys with the threat actor’s SSH public key and with the comment “helloworld.” This allows threat actors to connect to and authenticate to an SSH server without using a password. RapperBot uses this method to maintain access to victim devices even if the device is rebooted or the malware itself is removed. Early samples had strings in plaintext, while later samples added obfuscation to strings by building them on the stack. This helps thwart analysis and detection, as the tools cannot extract human-readable strings from the binaries. Some RapperBot samples also used an additional layer of XOR encoding to hide strings from memory scanners.
PolySwarm has multiple samples of RapperBot.
You can use the following CLI command to search for all RapperBot samples in our portal:
$ polyswarm link list -f RapperBot
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at email@example.com | Check out our blog | Subscribe to our reports