Since June, FortiGuard Labs has been monitoring the "RapperBot" family of revolving IoT malware. Although the original Mirai source code was greatly influenced by this family, it differs from other IoT malware families in that it has the capacity to brute force credentials and connect to SSH servers rather than Telnet, which was how Mirai implemented it.
The malware is alleged to have gathered a series of hacked SSH servers, with over 3,500 distinct IP addresses used to scan and brute-force its way into the servers. The malware is named from an encoded URL to a YouTube rap music video in an early draft.
Analysis of the malware
According to the Fortinet analysis, the majority of the malware code implements an SSH 2.0 client that can connect to and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR.
RapperBot turned out to be a Mirai fork with unique features, its own command and control (C2) protocol, and unusual post-compromise for a botnet. RapperBot was created to target ARM and MIPS and has limited DDoS capabilities.
The attempt to create durability on the compromised host, which effectively allows the hacker to keep ongoing access long after the malware has been uninstalled or the unit has been restarted, serves as further proof of how Mirai has deviated from its usual behavior.
RapperBot used a self-propagation technique via a remote binary downloader, which was eliminated by the hackers in mid-July, as per Fortinet researchers who watched the bot and proceeded to sample new variants.
The recent versions in circulation at the time included a shell command that switched the victim's SSH keys for the hackers. A unique file named "/.ssh/authorized keys" is used to get access by inserting the operators' SSH public key. This enables the attacker to log in and authenticate to the server using the associated private key without providing a password.
The root user "suhelper" is added by the bot to the compromised endpoints in the most recent samples that the researchers have examined. The bot also sets up a Cron job to add the user again every hour if an administrator finds the account and deletes it.
Observations
As per Fortinet, analysts observed no new post-compromise payloads transmitted during the monitoring time, so the virus simply lays dormant on the affected Linux systems.
Despite the botnet abandoning self-propagation in favor of persistence, it is said that the botnet underwent substantial alterations in a short period of time, the most notable of which being the removal of DDoS attack elements from the artifacts at one point, only to be reinstated a week later.
At best, the campaign's ultimate goals are still unclear, and little more action is taken after a successful compromise. It is evident that SSH servers with pre-configured or easily guessable credentials are being gathered into a botnet for some unknown future use.
Users should set secure passwords for their devices or, turn off password authentication for SSH to protect themselves from such attacks.