RapperBot Brute-Forces SSH Servers

About RapperBot

• The botnet was discovered by Fortinet, who noticed some unusual SSH-related strings and decided to examine it. 
• They spotted a self-propagation feature in the bot using a remote binary downloader that was removed in mid-July.
• The bot authors added extra layers of obfuscation to the strings in later observed samples, such as XOR encoding.

More Insights

• In the last 1.5 months after its discovery, the RapperBot botnet has already used over 3,500 unique IPs around the world to scan and attempt to brute-force Linux SSH servers.
• It comes with limited DDoS capabilities, and its operation is aimed at initial server access. It could also be used as a first step for lateral movement inside a network.
• The botnet functions as a general IoT malware and targets different architectures, including SPARC, MIPS, and x86.

Persistence tactics

• Out of the multiple variants found, the latest variants of the bot feature a shell command that replaces the victim's SSH keys with the attacker’s to establish persistence, which is maintained even after an SSH password reset.
• RapperBot adds the attacker’s SSH key to the host's ~/.ssh/authorized_keys to maintain access on the server between reboots or malware spotted and removed.
• In the most recent samples, the bot adds the root user ‘suhelper’ on infected endpoints and creates a Cron job to re-add the user every hour if the admin spotted the account and deletes it.

Conclusion