Executive Summary
FortiGuard Labs recently reported on RapperBot, a malware family with a built-in capability to brute force credentials and gain access to SSH servers.
Key Takeaways
- RapperBot targets Linux-based IoT devices with ARM, MIPS, SPARC, and x86 architectures.
- RapperBot brute forces SSH server credentials and has limited DDoS capabilities.
- Newer variants of RapperBot allow threat actors to maintain persistence on a victim machine.
RapperBot is a malware family targeting Linux-based IoT devices and has been active since at least June 2022. It is based on Mirai, but unlike Mirai, it has a built-in capability to brute force credentials and gains access to SSH servers instead of using Telnet. RapperBot also has limited DDoS capabilities, leveraging plain UDP and TCP STOMP flood attacks.
According to FortiGuard Labs researchers, RapperBot’s developers appear to be adding code to maintain persistence. This gives threat actors continued access to victim machines via SSH, even if the device is rebooted or the malware is removed. Early RapperBot samples included an embedded URL to a rap music video that was not observed in later samples.
RapperBot is used primarily to brute force credentials, using an SSH 2.0 client that can brute force any SSH server implementing Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR. RapperBot uses SSH-2.0-HELLOWORLD to identify itself to the targeted SSH server.
RapperBot uses TCP requests at separate ports to communicate with the C2 to receive commands, download credential lists, or send credentials. In the samples, FortiGuard analyzed, the port used was 443. Each request uses a 32-byte value hard coded as a bot ID. The bot IDs from the samples FortiGuard analyzed were:
- d4 1c 74 44 70 95 28 ff f0 98 ae 4e 6f 92 ba d5 0f cd 56 29 c5 12 53 a1 fe 46 53 c7 0b b5 18 27
- f6 b7 0b 00 14 77 35 f9 8d 6d 5d c4 bd 23 88 7e cf 5e 02 ce 54 5f e7 b1 e6 3f 2a 16 71 b6 eb
Some samples of RapperBot reported credentials to the C2 after successfully brute forcing a server without executing further commands on the victim machine. Other samples were self-propagated using a remote binary downloader post-compromise.
More recent samples no longer self-propagate but seek to maintain remote access on the victim machine. RapperBot does this by running a shell command to replace a remote victim’s ~/.ssh/authorized_keys with the threat actor’s SSH public key and with the comment “helloworld.” This allows threat actors to connect to and authenticate to an SSH server without using a password. RapperBot uses this method to maintain access to victim devices even if the device is rebooted or the malware itself is removed. Early samples had strings in plaintext, while later samples added obfuscation to strings by building them on the stack. This helps thwart analysis and detection, as the tools cannot extract human-readable strings from the binaries. Some RapperBot samples also used an additional layer of XOR encoding to hide strings from memory scanners.
IOCs
PolySwarm has multiple samples of RapperBot.
05c78eaf32af9647f178dff981e6e4e43b1579d95ccd4f1c2f1436dbfa0727ad
1975851c916587e057fa5862884cbac3fa1e80881ddd062392486f5390c86865
23256f231f3d91b0136b44d649b924552607a29b43a195024dbe6cde5b4a28ad
23a415d0ec6d3131f1d537836d3c0449097e98167b18fbdbf2efca789748818a
2479932a6690f070fa344e5222e3fbb6ad9c880294d5b822d7a3ec27f1b8b8d5
55ff25b090dc1b380d8ca152428ba28ec14e9ef13a48b3fd162e965244b0d39b
77b2e5fb5b72493bde35a6b29a66e6250b6a5a0c9b9c5653957f64a12c793cd5
8380321c1bd250424a0a167e0f319511611f73b53736895a8d3a2ad58ffcd5d5
88bbb772b8731296822646735aacbfb53014fbb7f90227b44523d7577e0a7ce6
8e9f87bb25ff83e4ad970366bba47afb838028f7028ea3a7c73c4d08906ec102
92ae77e9dd22e7680123bb230ce43ef602998e6a1c6756d9e2ce5822a09b37b4
9d234e975e4df539a217d1c4386822be1f56cea35f7dd2aa606ae4995894da42
A31f4caa0be9e588056c92fd69c8ac970ebc7e85a68615b1d9407a954d4df45d
C83f318339e9c4072010b625d876558d14eaa0028339db9edf12bbcafe6828bb
D86d158778a90f6633b41a10e169b25e3cb1eb35b369a9168ec64b2d8b3cbeec
Dcdeedee4736ec528d1a30a585ec4a1a4f3462d6d25b71f6c1a4fef7f641e7ae
Ddf5aff0485f395c7e6c3de868b15212129962b4b9c8040bef6679ad880e3f31
E8f1e8ec6b94ea54488d5f714e71e51d58dcdfe4be3827c55970d6f3b06edf73
Ebb860512a55c1cdc8be1399eec44c4481aedb418f15dbda4612e6d38e9b9010
F5ff9d1261af176d7ff1ef91aa8c892c70b40caa02c17a25de22539e9d0cdd26
ff09cf7dfd1dc1466815d4df098065510eec504099ebb02b830309067031fe04
You can use the following CLI command to search for all RapperBot samples in our portal:
$ polyswarm link list -f RapperBot
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports