RapperBot, a Mirai-based worm, targets IoT devices via “intelligent brute forcing”

Cybercriminals continuously develop their skills and tools, looking for new ways to compromise individuals and companies. Kaspersky has explored uncommon infection methods used by attackers in its recent Securelist blogpost. Alongside other discoveries, it features RapperBot, a Mirai-based worm that infects IoT devices with the ultimate goal of launching DDoS attacks against non-HTTP targets. Other methods mentioned in the blogpost includes an information stealer Rhadamanthys, and CUEMiner, based on open-source malware presumably distributed through BitTorrent and One Drive.

The RapperBot was first observed in June 2022, when it was used to target Secure Shell protocol (SSH), considered to be a secure way to communicate files since it uses encrypted communication – comparing to Telnet services that transfers data in a form of a plain text. However, the latest version of RapperBot removed SSH functionality and now focuses exclusively on Telnet and with quite some success. In the fourth quarter of 2022, RapperBot infection attempts reached 112,000 users from more than 2,000 unique IP addresses.

What sets RapperBot apart from other worms is its “intelligent” way of brute forcing: it checks the prompt and based on the prompt selects the appropriate credentials. This method speeds up the brute forcing process significantly as it doesn’t have to go over a huge list of credentials. In December 2022, the Top-3 countries with the highest number of devices infected by RapperBot were Taiwan, South Korea, and the US.

Another new malware family described in Kaspersky’s blogpost is a CUEMiner, based on an open-source malware that first appeared on Github in 2021. The latest version was discovered in October 2022 and includes a miner itself and a so-called “watcher”. This program monitors a system while a heavy process, such as a videogame, is launched on a computer of a victim.

During the investigation of CUEMiner, Kaspersky noticed two methods of spreading the malware. The first is via trojanised cracked software downloaded via BitTorrent. The other method is via trojanised cracked software that is downloaded from OneDrive sharing networks. Since there are no direct links available at the time of publication, it remains unclear how victims are lured into downloading these cracked packages. Nevertheless, many crack sites these days do not immediately provide downloads. Instead, they point to Discord server channels for further discussion. This suggests some form of human interaction and social engineering.

Such “open source” malware is very popular among amateur or unskilled cybercriminals since it allows them to conduct massive campaigns – CUEMiner victims are currently found all over the world, some within enterprise networks. The largest number of victims within KSN telemetry have been in Brazil, India, and Turkey.

Finally, the Kaspersky blogpost provides new information on Rhadamanthys, an information stealer that uses Google Advertising as a means of distributing and delivering malware. It was already featured on Securelist in March 2023, but since then, it has been uncovered that Rhadamanthys has a strong connection to Hidden Bee miner, aimed directly at cryptocurrency mining. Both samples use images to hide the payload inside and have similar shellcodes for bootstrapping. Additionally, both use “in-memory virtual file systems” and utilise Lua language to load plugins and modules.

“Open-source malware, code reuse and rebranding are widely used by cybercriminals. It means that even less skilled attackers can now perform large-scale campaigns and target victims around the globe. Moreover, malvertising is becoming a hot trend as it is already highly demanded among malware groups. To avoid such attacks and protect your company from being compromised, it’s important to be aware of what is going on in cybersecurity, and use the latest protection tools available,” comments Jornt van der Wiel, senior security researcher, GReAT at Kaspersky.

To protect yourself and your business from ransomware attacks, consider following the rules proposed by Kaspersky:

  • Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
  • Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
  • Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections.
  • Back up data regularly. Make sure you can quickly access it in an emergency when needed.
  • Use solutions like Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response service which help to identify and stop the attack on early stages, before attackers reach their final goals.
  • Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors. The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for 25 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.


Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.