Security News > 2022 > August > New Linux malware brute-forces SSH servers to breach networks

A new botnet called 'RapperBot' is being used in attacks since mid-June 2022, focusing on brute-forcing its way into Linux SSH servers to establish a foothold on the device.

Over the past 1.5 months since its discovery, the new botnet used over 3,500 unique IPs worldwide to scan and attempt brute-forcing Linux SSH servers.

"Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication," explains the Fortinet report.

"The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR.".

The newer variants circulating at that time featured a shell command that replaced the victim's SSH keys with the actor's, essentially establishing persistence that's maintained even after SSH password changes.

RapperBot added a system to append the actor's SSH key to the host's "~/.ssh/authorized keys," which helps maintain access on the server between reboots or even if the malware is found and deleted.

News URL

https://www.bleepingcomputer.com/news/security/new-linux-malware-brute-forces-ssh-servers-to-breach-networks/