IoT
APT
Linux
RapperBot is a malware family derived from the Mirai botnet source code, targeting IoT devices through brute-forcing SSH credentials instead of Telnet. This modification allows RapperBot to compromise a broader range of devices, including those with more secure configurations. Unique among Mirai variants, RapperBot incorporates persistence mechanisms, ensuring continued access to compromised systems even after reboots or malware removal.
RapperBot's developers adapted the Mirai botnet source code to focus on SSH servers rather than Telnet, broadening its potential attack surface. By targeting devices with SSH remote management enabled, RapperBot enhances its ability to infiltrate more sophisticated systems, stepping beyond the typical IoT targets of Mirai.
Persistence Mechanisms
Unlike most Mirai-based malware, RapperBot ensures its continued presence by adding its public key to the ~/.ssh/authorized_keys file of infected devices. This persistence allows attackers to regain access even if the malware is removed or the system is rebooted, complicating recovery efforts.
Expanding Capabilities
RapperBot has evolved to include features such as launching DDoS attacks and cryptojacking. Recent versions have been used to target gaming servers with DDoS campaigns, disrupting online services. Additionally, certain variants leverage compromised Intel x64 machines to mine cryptocurrency, creating new revenue streams for the attackers.
Disable password-based SSH authentication in favor of key-based methods.
Regularly patch and update devices to eliminate known vulnerabilities.
Monitor network traffic for unusual activity, such as brute-force attempts.
Enforce rate-limiting and account lockout policies to prevent repeated login attempts.
