RapperBot: A Derivative of Mirai IoT Malware with a Different Focus
RapperBot, based on the Mirai IoT malware code, has continued to develop since its discovery in early summer 2022.
Like Mirai, RapperBot attempts to brute force access to IoT devices using weak or default passwords.
RapperBot is designed to retain access to devices even after they have been rebooted, and recent variants can also give attackers full control of the device.
Samples of RapperBot across ARM, MIPS, SPARC and x86 architectures were tested against BluVector’s patented Machine Learning Engine (MLE) and were detected. Regression testing shows that BluVector would have detected RapperBot samples on average 49 months prior to their release, and in some cases up to 99 months prior.
What Is It?
Researchers from Fortinet’s FortiGuard Labs have released the details of a derivative of the Mirai IoT (Internet of Things) malware, named RapperBot. Since first discovering it in mid-June, they have observed continuous development of RapperBot, named for a URL found in early samples that linked to a rap video on Youtube.
The Mirai botnet was discovered by the malware research group MalwareMustDie in August 2016. The botnet is composed of IoT devices which the Mirai malware has compromised, usually due to the use of default or poor passwords for administrative accounts, and accessible via the Telnet service. The operators utilize the Mirai botnet to perpetrate DDoS (Distributed Denial of Service) attacks. Initially these attacks were focused on Minecraft servers, but have since progressed to some of the largest and most disruptive recorded DDoS attacks. Another characteristic of Mirai is that it does not obtain persistence on the infected device, i.e. it will not survive a reboot of the device. Unless the underlying password weakness is resolved, the device will likely be reinfected a short time after being rebooted. Estimates of the maximum number of infected devices which made up the Mirai botnet at any one time vary widely, but generally agree that it was at least 600,000 devices.
As a derivative of Mirai, RapperBot has several similarities to Mirai, but it appears the operator’s purpose is quite different. Like Mirai, RapperBot attempts to brute force access to IoT devices utilizing weak or default passwords. However, instead of Telent, RapperBot targets SSH servers that allow for password authentication. Earlier samples contained hardcoded lists of userid/password combinations to be used for brute force attempts, where more recent samples retrieve these lists from the malware’s C2 (Command and Control) site. RapperBot variants briefly contained code to self-propagate, but variants from mid-July now replace the infected device’s SSH authorized_keys file with one containing the attackers public SSH key. This means that even if the device is rebooted, the attackers still retain access. More recent variants also add a new root user to the device, giving attackers full control of the device. Researchers did not observe any additional payloads being deployed to infected devices.
When attempting to brute force an SSH server, Rapperbot uses a unique identifier of “SSH-2.0-HELLOWORLD”. The timing of the discovery of RapperBot coincides with the appearance of this identifier in the logs of an SSH honeypot operated by the SANS Internet Storm Center. The majority of Rapperbot brute force attempts in these logs originated from Taiwan, South Korea, the United States, and Japan.
While RapperBot does contain DDoS capabilities, they are somewhat limited, certainly when compared with Mirai. This indicates that DDoS attacks are not the primary objective of the RapperBot operators. The efforts they have undertaken to ensure that their SSH access is resilient speaks more strongly to their objective, that of an initial access broker. This hypothesis is further strengthened by the fact that no further payloads were observed being installed, which would potentially alert the device owners to the compromise. The longer a compromised device goes undetected, the more opportunity an initial access broker has to sell access to the device to other malicious cyber actors.
How Does It Propagate?
Variants of the RapperBot malware only briefly contained the necessary code to self-propagate. The infection vector is brute forcing of weak or default passwords on SSH servers of IoT devices.
When/How Did BluVector Detect It?
A total of 21 samples of RapperBot malware, across ARM, MIPS, SPARC and x86 architectures, were tested against BluVector’s patented Machine Learning Engine (MLE) and all were detected. Regression testing of these samples shows that BluVector would have detected them on average 49 months prior to their release, and in some cases up to 99 months prior.