[MART] - Daily Diary #567 - RapperBot, A New Linux Malware

ctas-mat at appgate.com ctas-mat at appgate.com
Thu Aug 4 22:06:14 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

08/04/2022 - Diary entry #567:

In June 2022, a new Linux Mirai-based Botnet was discovered. Named RapperBot (due to an embedded URL to a YouTube rap music video found in older samples), it has its own C2 (command & control) protocol and unique features such as the ability to brute-force access to SSH servers, as well as post-compromise activity.

Instead of Mirai’s propagation capability, RapperBot focuses on getting initial access, then it can be used for lateral movement and to deploy additional payloads. In the past couple of months, RapperBot used over 3,500 unique IPs (mostly from the US, Taiwan, and South Korea) to scan and brute-force Linux SSH servers.

It’s not the first time we cover a Mirai variant in our Daily Diaries since Mirai’s source code was leaked online in 2016. However, this new variant was significantly modified with unique features that can impact misconfigured servers that use weak credentials or have no password changing policy.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220804/f8342f43/attachment.htm>

More information about the MART mailing list