Security News > 2022 > August > New Linux malware brute-forces SSH servers to breach networks
A new botnet called 'RapperBot' is being used in attacks since mid-June 2022, focusing on brute-forcing its way into Linux SSH servers to establish a foothold on the device.
Over the past 1.5 months since its discovery, the new botnet used over 3,500 unique IPs worldwide to scan and attempt brute-forcing Linux SSH servers.
"Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication," explains the Fortinet report.
"The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR.".
The newer variants circulating at that time featured a shell command that replaced the victim's SSH keys with the actor's, essentially establishing persistence that's maintained even after SSH password changes.
RapperBot added a system to append the actor's SSH key to the host's "~/.ssh/authorized keys," which helps maintain access on the server between reboots or even if the malware is found and deleted.
News URL
Related news
- Interpol's latest cybercrime intervention dismantles ransomware, banking malware servers (source)
- Microsoft is bringing the Linux sudo command to Windows Server (source)
- New Migo Malware Targeting Redis Servers for Cryptocurrency Mining (source)
- New Migo malware disables protection features on Redis servers (source)
- New SSH-Snake malware steals SSH keys to spread across the network (source)
- GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks (source)
- New Bifrost malware for Linux mimics VMware domain for evasion (source)
- New BIFROSE Linux Malware Variant Using Deceptive VMware Domain for Evasion (source)
- Stealthy GTPDOOR Linux malware targets mobile operator networks (source)
- Magnet Goblin hackers use 1-day flaws to drop custom Linux malware (source)