A botnet, named RapperBot, is being used in a brute-force attack ongoing since mid-June. The aim is to make a way into Linux SSH servers to get access to devices.

About RapperBot

  • The botnet was discovered by Fortinet, who noticed some unusual SSH-related strings and decided to examine it. 
  • They spotted a self-propagation feature in the bot using a remote binary downloader that was removed in mid-July.
  • The bot authors added extra layers of obfuscation to the strings in later observed samples, such as XOR encoding.

More Insights

According to researchers, RapperBot is based on the Mirai trojan, yet different from the original malware. Mirai spreads uncontrollably, leading to the infection of as many devices as possible. However, RapperBot’s attack is a tightly controlled botnet.
  • In the last 1.5 months after its discovery, the RapperBot botnet has already used over 3,500 unique IPs around the world to scan and attempt to brute-force Linux SSH servers.
  • It comes with limited DDoS capabilities, and its operation is aimed at initial server access. It could also be used as a first step for lateral movement inside a network.
  • The botnet functions as a general IoT malware and targets different architectures, including SPARC, MIPS, and x86.

Persistence tactics

  • Out of the multiple variants found, the latest variants of the bot feature a shell command that replaces the victim's SSH keys with the attacker’s to establish persistence, which is maintained even after an SSH password reset.
  • RapperBot adds the attacker’s SSH key to the host's ~/.ssh/authorized_keys to maintain access on the server between reboots or malware spotted and removed.
  • In the most recent samples, the bot adds the root user ‘suhelper’ on infected endpoints and creates a Cron job to re-add the user every hour if the admin spotted the account and deletes it.


Most botnets have lately been observed performing DDoS or engaging in coin-mining activities or doing both. Whatever the case, businesses and firms should update OS and apps, patch flaws, and deploy anti-malware solutions.
Cyware Publisher