A fearsome new botnet is rapidly gaining momentum

New Mirai version is expanding quickly, experts warn

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

An old, infamous trojan has been forked, with the new variant being used to attack Linux SSHservers, experts have warned.

However, unlike the originalmalware, whose purpose was quite clear, researchers are not yet sure what the operators are up to this time around.

Cybersecurity researchers from Fortinet detected IoT malware with unusual SSH-related strings, and after digging a bit deeper, discovered RapperBot, a variant of the dreadedMirai trojan.

Access for sale?

RapperBot was first deployed in mid-June 2022, and is being used to brute-force intoLinuxSSH servers and gain persistence on the endpoints.

RapperBot borrows quite a lot from Mirai, but it does have its own command and control (C2) protocol, as well as certain unique features.

But unlike Mirai, whose goal was to spread to as many devices as possible, and then use those devices to mount devastating Distributed Denial of Service (DDoS) attacks, RapperBot is spreading with more control, and has limited (sometimes even completely disabled) DDoS capabilities.

The researchers’ first impression is that the malware might be used for lateral movement within a target network, and as the first stage in a multi-stage attack. It could be also used simply to gain access to the target devices, access which could later be sold on the black market. The researchers came to this conclusion, among other things, due to the fact that the trojan sits idly, once it compromises a device.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

This is the most powerful botnet ever seen>This dangerous botnet has found a new way to infect your endpoints>These are the best endpoint protection services right now

Whatever the endgame is, the trojan is quite active, the researchers further claim, saying that in the past month and a half, it used more than 3,500 unique IP addresses worldwide, to scan and brute-force Linux SSHservers. To launch a brute-force attack, the trojan first downloads a list of credentials from its C2, via host-unique TCP requests. If it succeeds, it reports the results back to the C2.

“Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication,” Fortinet explains. “The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR.”

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)