A new IoT malware, dubbed “RapperBot,” has been observed targeting Linux systems. Like many other IoT malware families, RapperBot is based on Mirai source code, although it uses brute force to gain access to SSH servers instead of Telnet as implemented in Mirai.

First discovered in June 2022 by researchers at FortiGuard Labs, the malware also has functionality that allows it to maintain persistence in order to provide threat actors continued access to infected devices via SSH even after the device is rebooted or the malware has been removed.

RapperBot is designed to function primarily as an SSH brute forcer with limited capabilities to carry out distributed denial-of-service (DDoS) attacks. The malware targets ARM, MIPS, SPARC, and x86 architectures.

While RapperBot heavily reuses parts of the Mirai source code, it differs significantly from the original Mirai and typical Mirai-based variants.

“Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR,” the researchers wrote in their report.

The attack involves brute-forcing potential targets using a list of credentials received from a remote server. Once a vulnerable SSH server is compromised, the valid credentials are sent back to the command-and-control server.

The researchers also noticed that since mid-July RapperBot has switched from self-propagation to maintaining remote access into the brute-forced SSH servers, which presents a threat to breached SSH servers as malicious actors can access them even after after SSH credentials have been changed or SSH password authentication is disabled.

FortiGuard researchers have been monitoring the threat for a month and noticed a few interesting changes in RapperBot’s functionality, such as the malware author’s experiments with the DDoS attack and self-propagation capabilities, but they are still puzzling over the primary motivation of the threat actors behind the campaign. It appears that the attackers are amassing a rapidly growing collection of compromised SSH servers, with the majority of them located in the United States, Taiwan, and South Korea.

“Due to some significant and curious changes that RapperBot has undergone, its primary motivation is still a bit of a mystery. Regardless, since its primary propagation method is brute forcing SSH credentials, this threat can easily be mitigated by setting strong passwords for devices or disabling password authentication for SSH (where possible),” the researchers said.