Linux SSH servers targeted by new RapperBot botnet

August 8, 2022

BleepingComputer reports that Linux SSH servers have been besieged by brute-force attacks from the novel Mirai trojan-based RapperBot botnet since mid-June. More than 3,500 unique IP addresses around the world have been scanned by RapperBot as it sought to brute-force Linux SSH servers, according to a report from Fortinet. Despite being a forked version of Mirai, RapperBot was found to have unique functionality, as well as a dedicated command-and-control protocol and post-compromise activity mainly aimed at achieving initial server access. "Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR," said researchers.

Linux SSH servers targeted by new RapperBot botnet

Related

New Vidar malware campaign sets sights on online sellers

QBot malware operation examined

LatAm email accounts targeted by novel Horabot malware campaign

Related Events

EMOTET Exposed: Inside the Cybercriminals’ Supply Chain

Email Emergency: Steering Clear of Phishing and BEC Scams

Ransomware & Data Exfiltration: A survival guide to prevention & response

Get daily email updates