Something to RapperBot about: a Mirai-based worm targets IoT devices via “intelligent brute forcing”

Something to RapperBot about: a Mirai-based worm targets IoT devices via “intelligent brute forcing”

Cybercriminals continuously develop their skills and tools, looking for new ways to compromise individuals and companies. Kaspersky has explored uncommon infection methods used by attackers in its recent Securelist blogpost. Alongside other discoveries, it features RapperBot, a Mirai-based worm that infects IoT devices with the ultimate goal of launching DDoS attacks against non-HTTP targets. Other methods mentioned in the blogpost includes an information stealer Rhadamanthys, and CUEMiner, based on open-source malware presumably distributed through BitTorrent and One Drive.

The RapperBot was first observed in June 2022, when it was used to target Secure Shell protocol (SSH), considered to be a secure way to communicate files since it uses encrypted communication – comparing to Telnet services that transfers data in a form of a plain text. However, the latest version of RapperBot removed SSH functionality and now focuses exclusively on Telnet and with quite some success. In Q4 2022, RapperBot infection attempts reached 112,000 users from more than 2,000 unique IP addresses.

What sets RapperBot apart from other worms is its “intelligent” way of brute forcing: it checks the prompt and based on the prompt selects the appropriate credentials. This method speeds up the brute forcing process significantly as it doesn’t have to go over a huge list of credentials. In December 2022, the Top-3 countries with the highest number of devices infected by RapperBot were Taiwan, South Korea, and the United States.

Another new malware family described in the Kaspersky’s blogpost is a CUEMiner, based on an open-source malware that first appeared on Github in 2021. The latest version was discovered in October 2022, and includes a miner itself and a so-called “watcher”. This program monitors a system while a heavy process, such as a videogame, is launched on a computer of a victim.

During the investigation of CUEMiner, Kaspersky noticed two methods of spreading the malware. The first is via trojanized cracked software downloaded via BitTorrent. The other method is via trojanized cracked software that is downloaded from OneDrive sharing networks. Since there are no direct links available at the time of publication, it remains unclear how victims are lured into downloading these cracked packages. Nevertheless, many crack sites these days do not immediately provide downloads. Instead they point to Discord server channels for further discussion. This suggests some form of human interaction and social engineering.

Such “open source” malware is very popular among amateur or unskilled cybercriminals since it allows them to conduct massive campaigns – CUEMiner victims are currently found all over the world, some within enterprise networks. The largest number of victims within KSN telemetry have been in Brazil, India, and Turkey.

Finally, the Kaspersky blogpost provides new information on Rhadamanthys, an information stealer that uses Google Advertising as a means of distributing and delivering malware. It was already featured on Securelist in March 2023, but since then, it has been uncovered that Rhadamanthys has a strong connection to Hidden Bee miner, aimed directly at cryptocurrency mining. Both samples use images to hide the payload inside and have similar shellcodes for bootstrapping. Additionally, both use “in-memory virtual file systems” and utilize Lua language to load plugins and modules.

“Open-source malware, code reuse and rebranding are widely used by cybercriminals. It means that even less skilled attackers can now perform large-scale campaigns and target victims around the globe. Moreover, malvertising is becoming a hot trend as it is already highly demanded among malware groups. To avoid such attacks and protect your company from being compromised, it’s important to be aware of what is going on in cybersecurity, and use the latest protection tools available,” comments Jornt van der Wiel, senior security researcher, GReAT at Kaspersky.

Mr. Chris Connell, Manager Director APAC, Kaspersky said “Advancements in technology have made our lives easier, but they have also given rise to sophisticated cybercrime syndicates. Cybercriminals continuously develop their skills and tools, looking for new ways to exploit vulnerabilities in individuals and businesses. From phishing scams to malware attacks, cybercriminals use a range of tactics to gain unauthorized access to systems, steal data, and cause disruption. The increasing use of cloud-based services and the Internet of Things (IoT) has also created new attack vectors that cybercriminals can exploit. Individuals and companies must stay vigilant and take a proactive approach to cybersecurity to protect themselves from these evolving threats. Implementing strong security measures and providing cybersecurity awareness training can go a long way in mitigating the risk of cyber attacks. Our solutions, like Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response, help to identify and stop cyberattacks.”

Learn more about the new infection methods and techniques used by cybercriminals on Securelist.

To protect yourself and your business from ransomware attacks, consider following the rules proposed by Kaspersky:

Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.

Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.

Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections.

Back up data regularly. Make sure you can quickly access it in an emergency when needed.

Use solutions like Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response service which help to identify and stop the attack on early stages, before attackers reach their final goals.

Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors. The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for 25 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge.