FortiGuard Labs researchers have uncovered new samples of the RapperBot botnet, which now includes support for cryptojacking activities. Initially detected in August, RapperBot borrows code from the Mirai botnet but distinguishes itself by employing brute force to target SSH servers instead of Telnet.
The latest campaign showcases the botnet’s evolution, incorporating persistence techniques and exploiting weak credentials to gain remote access.
The recent findings from FortiGuard Labs shed light on the ongoing development of the RapperBot botnet. Since its initial discovery in mid-June 2022, the botnet has undergone significant updates, with the most recent samples exhibiting cryptojacking capabilities.
While the malware initially utilized separate Monero miners, it has since integrated mining capabilities into the bot itself.
RapperBot’s ability to maintain persistence and adapt its attack methods is cause for concern. By employing SSH public key authentication with the comment “helloworld,” the bot can authenticate the SSH server without requiring a password.
The botnet’s continual updates and evasion techniques make it a potent threat. To mitigate its impact, FortiGuard Labs recommends enabling public key authentication and setting strong passwords for all internet-connected devices.
The researchers also highlighted two distinct clusters of ARM samples within the botnet, each with its own functionalities and capabilities. Additionally, the revised binary network protocol used by RapperBot helps evade detection, utilizing a two-layer approach for encoding and decoding information exchanged with the command-and-control (C2) server.
By continuously updating and refining its tactics, RapperBot poses an ongoing threat, emphasizing the importance of implementing robust security measures.
