AL2022_47 RapperBot Malware targeting Linux Servers (8th August 2022)

Description  

RapperBot, a new IoT (Internet of Things) botnet malware, has been observed rapidly developing its capabilities. Although this malware family mimics the original Mirai source code, what sets it apart from other IoT malware families is its ability to brute force credentials and access SSH servers rather than Telnet, as Mirai deployed. 

Summary  

The malware is believed to have gathered a growing collection of hacked SSH servers, with over 3,500 distinct IP addresses used to scan and brute-force its way into the servers. The malware gets its name from an embedded URL to a YouTube rap music video in an earlier version. 

The way RapperBot is currently implemented distinguishes it from Mirai and enables it to primarily serve as an SSH brute-force tool with limited DDoS (Distributed Denial of Service) attack capabilities. 

The attempt to build persistence on the compromised host is further indication of the departure from standard Mirai behavior and effectively enables the threat actor to keep ongoing access long after the malware has been removed or the device has been restarted. 

How it works  

The attacks involve leveraging a list of credentials obtained from a remote server to brute-force potential targets. When a vulnerable SSH server is successfully breached, the legitimate credentials are exfiltrated back to the command-and-control. RapperBot has switched from self-propagation to maintaining remote access into the brute-forced SSH servers. 

A unique file named "/.ssh/authorized keys" is used to get access by inserting the operators' SSH public key. This enables the attacker to login and authenticate to the server using the associated private key without having to provide a password. 

As a result, threat actors can access hacked SSH servers even after changing their SSH login credentials or disabling SSH password authentication. 

In addition, since the file is changed, all currently allowed keys are removed, preventing authorized users from connecting to the SSH server using public key authentication. 

The change allows the virus to continue its SSH access to these compromised systems, giving the actor the opportunity to use the foothold to launch denial-of-service assaults much like Mirai. 

Remediation  

It is recommended that users set strong passwords for devices or disable password authentication for SSH where possible. 

It is also recommended that MFA (Multi Factor Authentication) is set up for authenticating users. A step-by-step tutorial can be found at the following URL: https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04 

The Guyana National CIRT recommends that users and administrators review this alert and make changes where necessary. 

PDF Download: RapperBot Malware targeting Linux Servers.pdf

References