Table of Contents
In this post, we are talking about a new malware that most likely affects Linux systems. Researchers from FortiGuard Labs from Fortinet, a well know enterprise security firm, have been monitoring a fast-growing IoT malware family known as “RapperBot.” since mid-June 2022. The malware is said to be capable of brute forcing SSH servers to capture their credentials. Since remote attackers use this malware to gain control of vulnerable Linux systems, it is highly critical to know more about RapperBot malware and take all the precautions o protect your Linux systems from RapperBot malware.
Before we see how to protect your Linux systems from RapperBot Malware, let’s see some key extracts from the report with its working and, finally, some of the protection methods.
Key Extracts from the Report:
FortiGuard Labs has been tracking RapperBot since mid-June 2022.
The malware affects non-windows, most likely Linux systems.
The malware targets ARM, MIPS, SPARC, and x86 architectures
Attackers could gain control of the vulnerable systems.
Source code of RapperBot malware is imported from Mirai
Unlike Mirai, RapperBot targets only SSH servers.
In total, 3500 servers from the globe were expected to be compromised.
IPs from the US, Taiwan, and South Korea cumulatively scored more than half of the score.
About RapperBot Malware:
RapperBot belongs to IoT malware families whose source code is expected to be imported from the Mirai botnet. The thing that keeps RapperBot different from its source Mirai is that RapperBot targets SSH credentials on vulnerable Linux servers instead of Telnet service. Attackers use this malware to compromise the victim and take control of the victim system with root privileges.
Researchers say the recent new samples clearly show that the malware keeps evolving with additional code to maintain persistence and work covered under the radar. Additionally, the malware has developed capabilities of importing new credentials from the new C2 servers instead of using hardcoded credentials in its earlier variants to brute force the victim. In the brute force attack, if the malware finds a successful match of username and password, it writes back the successful login credentials to the C2 server and stores them in its global database.
This allows the threat actors to continually add new SSH credentials without having to update infected devices with new samples. This port number ranges from 4343 to 4345 in the latest samples.
– FortiGuard Labs
in the latest samples, the malware has started adding the root user and SSH keys that further allows malware authors to take complete control of the device and keep their presence even after the reboot or removal of the malware. Please read the complete technical details about the RapperBot malware here.
RapperBot execution flow Published by FortiGuard Labs
Tips to Protect Your Linux Systems from Rapp
There are a number of ways to protect your SSH credentials from brute force attacks. The most common and effective way is to use a strong password. A strong password should be at least eight characters long and should include a mix of letters, numbers, and symbols. It should also be changed regularly.
Another way to protect your SSH credentials from brute force attacks is to use two-factor authentication. Two-factor authentication requires users to provide both a password and a code generated by an authenticator app or device in order to log in. This makes it much more difficult for attackers to gain access to your account, even if they have your password.
You can also protect your SSH credentials by limiting the number of failed login attempts. After a certain number of failed login attempts, the account will be locked and the user will need to contact an administrator in order to regain access.
Finally, you can use a tool like fail2ban to automatically ban IP addresses that are associated with brute force attacks. This will prevent the attacker from even attempting to log in, as their IP address will be blocked.
By following these steps, you can protect your SSH credentials from brute force attacks and keep your account safe.
How to Protect Your Linux Systems From RapperBot Malware?
Since the primary attack vector of RapperBot is to brute forcing SSH credentials, it is recommended to set complex and unique passwords. Setting up key authentication instead of password authentication is a good option to protect your Linux from RapperBot Malware. Please take a look at the “How To Setup SSH Keys On The Raspberry Pi?” post to see the step-by-step procedure to set up key-based authentication instead of password-based authentication.
How to Configure Key Authentication Instead of Password on Linux?
There are a few steps that you need to take in order to configure key authentication instead of password authentication on your Linux server. Firstly, you need to generate a public/private key pair on your local machine. Next, you will need to copy the public key to your server. Finally, you will need to edit the sshd_config file to disable password authentication and enable key authentication.
In order to generate a public/private key pair, you can use the ssh-keygen command. This will generate a 2048-bit RSA key pair by default. You can change the type of key that is generated by using the -t option. For example, to generate an Ed25519 key pair, you would use the following command:
ssh-keygen -t ed25519Once you have generated your key pair, you will need to copy the public key to your server. The easiest way to do this is using the ssh-copy-id command. This will copy your public key to the ~/.ssh/authorized_keys file on your server.
Once your public key has been copied to your server, you will need to edit the sshd_config file to disable password authentication and enable key authentication. To do this, you will need to change the following lines in the file:
PasswordAuthentication no
PubkeyAuthentication yesAfter making these changes, you will need to restart the SSH service in order for them to take effect.
Once you have completed these steps, you will be able to connect to your server using key authentication instead of password authentication. This is more secure than password authentication because it means that even if someone were to obtain your password, they would not be able to log in to your server unless they also had your private key.
IOCs of RapperBot Malware:
Please take these Indicators of compromise captured by FortiGuard Labs.
Files
92ae77e9dd22e7680123bb230ce43ef602998e6a1c6756d9e2ce5822a09b37b4
a31f4caa0be9e588056c92fd69c8ac970ebc7e85a68615b1d9407a954d4df45d
e8d06ac196c7852ff71c150b2081150be9996ff670550717127db8ab855175a8
23a415d0ec6d3131f1d537836d3c0449097e98167b18fbdbf2efca789748818a
c83f318339e9c4072010b625d876558d14eaa0028339db9edf12bbcafe6828bb
05c78eaf32af9647f178dff981e6e4e43b1579d95ccd4f1c2f1436dbfa0727ad
88bbb772b8731296822646735aacbfb53014fbb7f90227b44523d7577e0a7ce6
e8f1e8ec6b94ea54488d5f714e71e51d58dcdfe4be3827c55970d6f3b06edf73
23256f231f3d91b0136b44d649b924552607a29b43a195024dbe6cde5b4a28ad
77b2e5fb5b72493bde35a6b29a66e6250b6a5a0c9b9c5653957f64a12c793cd5
dcdeedee4736ec528d1a30a585ec4a1a4f3462d6d25b71f6c1a4fef7f641e7ae
ebb860512a55c1cdc8be1399eec44c4481aedb418f15dbda4612e6d38e9b9010
9d234e975e4df539a217d1c4386822be1f56cea35f7dd2aa606ae4995894da42
1975851c916587e057fa5862884cbac3fa1e80881ddd062392486f5390c86865
8380321c1bd250424a0a167e0f319511611f73b53736895a8d3a2ad58ffcd5d5
f5ff9d1261af176d7ff1ef91aa8c892c70b40caa02c17a25de22539e9d0cdd26
2298071b6ba7baa5393be064876efcdbd9217c212e0c764ba62a6f0ffc83cc5a
2479932a6690f070fa344e5222e3fbb6ad9c880294d5b822d7a3ec27f1b8b8d5
1d5e6624a2ce55616ef078a72f25c9d71a3dbc0175522c0d8e07233115824f96
746106403a98aea357b80f17910b641db9c4fedbb3968e75d836e8b1d5712a62
ddf5aff0485f395c7e6c3de868b15212129962b4b9c8040bef6679ad880e3f31
e56edaa1e06403757e6e2362383d41db4e4453aafda144bb36080a1f1b899a02
55ff25b090dc1b380d8ca152428ba28ec14e9ef13a48b3fd162e965244b0d39b
8e9f87bb25ff83e4ad970366bba47afb838028f7028ea3a7c73c4d08906ec102
d86d158778a90f6633b41a10e169b25e3cb1eb35b369a9168ec64b2d8b3cbeec
ff09cf7dfd1dc1466815d4df098065510eec504099ebb02b830309067031fe04
Download URLs
hxxp://31[.]44[.]185[.]235/x86
hxxp://31[.]44[.]185[.]235/mips
hxxp://31[.]44[.]185[.]235/arm7
hxxp://2[.]58[.]149[.]116/arm
hxxp://2[.]58[.]149[.]116/spc
hxxp://2[.]58[.]149[.]116/mips
hxxp://2[.]58[.]149[.]116/x86_64
hxxp://2[.]58[.]149[.]116/ssh/arm7
hxxp://2[.]58[.]149[.]116/ssh/mips
hxxp://2[.]58[.]149[.]116/ssh/x86
hxxp://2[.]58[.]149[.]116/ssh/spc
hxxp://194[.]31[.]98[.]244/ssh/new/spc
hxxp://194[.]31[.]98[.]244/ssh/new/x86
hxxp://194[.]31[.]98[.]244/ssh/new/mips
hxxp://194[.]31[.]98[.]244/ssh/new/arm7
hxxp://194[.]31[.]98[.]244/ssh/new/arm
hxxp://194[.]31[.]98[.]244/ssh/new/x86
hxxp://194[.]31[.]98[.]244/ssh/new/mips
hxxp://194[.]31[.]98[.]244/ssh/new/arm7
hxxp://194[.]31[.]98[.]244/ssh/new/arm
hxxp://185[.]225[.]73[.]196/ssh/new/arm
hxxp://185[.]225[.]73[.]196/ssh/new/arm7
hxxp://185[.]225[.]73[.]196/ssh/new/mips
hxxp//185[.]225[.]73[.]196/ssh/new/x86
C2
31[.]44[.]185[.]235
2[.]58[.]149[.]116
194[.]31[.]98[.]244
185[.]225[.]73[.]196
Threat Actor SSH Public Key
AAAAB3NzaC1yc2EAAAADAQABAAACAQC/yU0iqklqw6etPlUon4mZzxslFWq8G8sRyluQMD3i8tpQWT2cX/mwGgSRCz7HMLyxt87olYIPemTIRBiyqk8SLD3ijQpfZwQ9vsHc47hdTBfj89FeHJ GGm1KpWg8lrXeMW+5jIXTFmEFhbJ18wc25Dcds4QCM0DvZGr/Pg4+kqJ0gLyqYmB2fdNzBcU05QhhWW6tSuYcXcyAz8Cp73JmN6TcPuVqHeFYDg05KweYqTqThFFHbdxdqqrWy6fNt8q/cgI30 NBa5W2LyZ4b1v6324IEJuxImARIxTc96Igaf30LUza8kbZyc3bewY6IsFUN1PjQJcJi0ubVLyWyyJ554Tv8BBfPdY4jqCr4PzaJ2Rc1JFJYUSVVT4yX2p7L6iRpW212eZmqLMSoR5a2a/tO2s1 giIlb+0EHtFWc2QH7yz/ZBjnun7opIoslLVvYJ9cxMoLeLr5Ig+zny+IEA3x090xtcL62X0jea6btVnYo7UN2BARziisZze6oVuOTCBijuyvOM6ROZ6s/wl4CQAOSLDeFIP5L1paP9V1XLaYLD BAodNaUPFfTxggH3tZrnnU8Dge5/1JNa08F3WNUPM1S1x8L2HMatwc82x35jXyBSp3AMbdxMPhvyYI8v2J1PqJH8OqGTVjdWe40mD2osRgLo1EOfP/SFBTD5VEo95K2ZLQ==
Threat Actor Root User
/etc /passwd suhelper:x:0:0::/:
/etc /shadow suhelper:$1$1OJBlhUV$E9DMK0xdoZb8W8wVOibPQ/:19185:0:99999:7:::
We hope this post would help you know how to protect your Linux systems from RapperBot Malware. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
