Tips to Protect Your Linux Systems From RapperBot Malware

In this post, we are talking about a new malware that most likely affects Linux systems. Researchers from FortiGuard Labs from Fortinet, a well know enterprise security firm, have been monitoring a fast-growing IoT malware family known as “RapperBot.” since mid-June 2022. The malware is said to be capable of brute forcing SSH servers to capture their credentials. Since remote attackers use this malware to gain control of vulnerable Linux systems, it is highly critical to know more about RapperBot malware and take all the precautions o protect your Linux systems from RapperBot malware.

Before we see how to protect your Linux systems from RapperBot Malware, let’s see some key extracts from the report with its working and, finally, some of the protection methods.

Key Extracts from the Report:

• FortiGuard Labs has been tracking RapperBot since mid-June 2022.
• The malware affects non-windows, most likely Linux systems.
• The malware targets ARM, MIPS, SPARC, and x86 architectures 
• Attackers could gain control of the vulnerable systems.
• Source code of RapperBot malware is imported from Mirai 
• Unlike Mirai, RapperBot targets only SSH servers.
• In total, 3500 servers from the globe were expected to be compromised.
• IPs from the US, Taiwan, and South Korea cumulatively scored more than half of the score.

About RapperBot Malware:

RapperBot belongs to IoT malware families whose source code is expected to be imported from the Mirai botnet. The thing that keeps RapperBot different from its source Mirai is that RapperBot targets SSH credentials on vulnerable Linux servers instead of Telnet service. Attackers use this malware to compromise the victim and take control of the victim system with root privileges. 

Researchers say the recent new samples clearly show that the malware keeps evolving with additional code to maintain persistence and work covered under the radar. Additionally, the malware has developed capabilities of importing new credentials from the new C2 servers instead of using hardcoded credentials in its earlier variants to brute force the victim. In the brute force attack, if the malware finds a successful match of username and password, it writes back the successful login credentials to the C2 server and stores them in its global database. 

This allows the threat actors to continually add new SSH credentials without having to update infected devices with new samples. This port number ranges from 4343 to 4345 in the latest samples.

– FortiGuard Labs

in the latest samples, the malware has started adding the root user and SSH keys that further allows malware authors to take complete control of the device and keep their presence even after the reboot or removal of the malware. Please read the complete technical details about the RapperBot malware here. 

Tips to Protect Your Linux Systems from Rapp

There are a number of ways to protect your SSH credentials from brute force attacks. The most common and effective way is to use a strong password. A strong password should be at least eight characters long and should include a mix of letters, numbers, and symbols. It should also be changed regularly.

Another way to protect your SSH credentials from brute force attacks is to use two-factor authentication. Two-factor authentication requires users to provide both a password and a code generated by an authenticator app or device in order to log in. This makes it much more difficult for attackers to gain access to your account, even if they have your password.

You can also protect your SSH credentials by limiting the number of failed login attempts. After a certain number of failed login attempts, the account will be locked and the user will need to contact an administrator in order to regain access.

Finally, you can use a tool like fail2ban to automatically ban IP addresses that are associated with brute force attacks. This will prevent the attacker from even attempting to log in, as their IP address will be blocked.

By following these steps, you can protect your SSH credentials from brute force attacks and keep your account safe.

How to Protect Your Linux Systems From RapperBot Malware?

Since the primary attack vector of RapperBot is to brute forcing SSH credentials, it is recommended to set complex and unique passwords. Setting up key authentication instead of password authentication is a good option to protect your Linux from RapperBot Malware. Please take a look at the “How To Setup SSH Keys On The Raspberry Pi?” post to see the step-by-step procedure to set up key-based authentication instead of password-based authentication.

How to Configure Key Authentication Instead of Password on Linux?

There are a few steps that you need to take in order to configure key authentication instead of password authentication on your Linux server. Firstly, you need to generate a public/private key pair on your local machine. Next, you will need to copy the public key to your server. Finally, you will need to edit the sshd_config file to disable password authentication and enable key authentication.

In order to generate a public/private key pair, you can use the ssh-keygen command. This will generate a 2048-bit RSA key pair by default. You can change the type of key that is generated by using the -t option. For example, to generate an Ed25519 key pair, you would use the following command:

ssh-keygen -t ed25519

Once you have generated your key pair, you will need to copy the public key to your server. The easiest way to do this is using the ssh-copy-id command. This will copy your public key to the ~/.ssh/authorized_keys file on your server.

Once your public key has been copied to your server, you will need to edit the sshd_config file to disable password authentication and enable key authentication. To do this, you will need to change the following lines in the file:

PasswordAuthentication no
PubkeyAuthentication yes

After making these changes, you will need to restart the SSH service in order for them to take effect.

Once you have completed these steps, you will be able to connect to your server using key authentication instead of password authentication. This is more secure than password authentication because it means that even if someone were to obtain your password, they would not be able to log in to your server unless they also had your private key.

IOCs of RapperBot Malware:

Please take these Indicators of compromise captured by FortiGuard Labs.

Files

• 92ae77e9dd22e7680123bb230ce43ef602998e6a1c6756d9e2ce5822a09b37b4
• a31f4caa0be9e588056c92fd69c8ac970ebc7e85a68615b1d9407a954d4df45d
• e8d06ac196c7852ff71c150b2081150be9996ff670550717127db8ab855175a8
• 23a415d0ec6d3131f1d537836d3c0449097e98167b18fbdbf2efca789748818a
• c83f318339e9c4072010b625d876558d14eaa0028339db9edf12bbcafe6828bb
• 05c78eaf32af9647f178dff981e6e4e43b1579d95ccd4f1c2f1436dbfa0727ad
• 88bbb772b8731296822646735aacbfb53014fbb7f90227b44523d7577e0a7ce6
• e8f1e8ec6b94ea54488d5f714e71e51d58dcdfe4be3827c55970d6f3b06edf73
• 23256f231f3d91b0136b44d649b924552607a29b43a195024dbe6cde5b4a28ad
• 77b2e5fb5b72493bde35a6b29a66e6250b6a5a0c9b9c5653957f64a12c793cd5
• dcdeedee4736ec528d1a30a585ec4a1a4f3462d6d25b71f6c1a4fef7f641e7ae
• ebb860512a55c1cdc8be1399eec44c4481aedb418f15dbda4612e6d38e9b9010
• 9d234e975e4df539a217d1c4386822be1f56cea35f7dd2aa606ae4995894da42
• 1975851c916587e057fa5862884cbac3fa1e80881ddd062392486f5390c86865
• 8380321c1bd250424a0a167e0f319511611f73b53736895a8d3a2ad58ffcd5d5
• f5ff9d1261af176d7ff1ef91aa8c892c70b40caa02c17a25de22539e9d0cdd26
• 2298071b6ba7baa5393be064876efcdbd9217c212e0c764ba62a6f0ffc83cc5a
• 2479932a6690f070fa344e5222e3fbb6ad9c880294d5b822d7a3ec27f1b8b8d5
• 1d5e6624a2ce55616ef078a72f25c9d71a3dbc0175522c0d8e07233115824f96
• 746106403a98aea357b80f17910b641db9c4fedbb3968e75d836e8b1d5712a62
• ddf5aff0485f395c7e6c3de868b15212129962b4b9c8040bef6679ad880e3f31
• e56edaa1e06403757e6e2362383d41db4e4453aafda144bb36080a1f1b899a02
• 55ff25b090dc1b380d8ca152428ba28ec14e9ef13a48b3fd162e965244b0d39b
• 8e9f87bb25ff83e4ad970366bba47afb838028f7028ea3a7c73c4d08906ec102
• d86d158778a90f6633b41a10e169b25e3cb1eb35b369a9168ec64b2d8b3cbeec
• ff09cf7dfd1dc1466815d4df098065510eec504099ebb02b830309067031fe04

Download URLs

• hxxp://31[.]44[.]185[.]235/x86
• hxxp://31[.]44[.]185[.]235/mips
• hxxp://31[.]44[.]185[.]235/arm7
• hxxp://2[.]58[.]149[.]116/arm
• hxxp://2[.]58[.]149[.]116/spc
• hxxp://2[.]58[.]149[.]116/mips
• hxxp://2[.]58[.]149[.]116/x86_64
• hxxp://2[.]58[.]149[.]116/ssh/arm7
• hxxp://2[.]58[.]149[.]116/ssh/mips
• hxxp://2[.]58[.]149[.]116/ssh/x86
• hxxp://2[.]58[.]149[.]116/ssh/spc
• hxxp://194[.]31[.]98[.]244/ssh/new/spc
• hxxp://194[.]31[.]98[.]244/ssh/new/x86
• hxxp://194[.]31[.]98[.]244/ssh/new/mips
• hxxp://194[.]31[.]98[.]244/ssh/new/arm7
• hxxp://194[.]31[.]98[.]244/ssh/new/arm
• hxxp://194[.]31[.]98[.]244/ssh/new/x86
• hxxp://194[.]31[.]98[.]244/ssh/new/mips
• hxxp://194[.]31[.]98[.]244/ssh/new/arm7
• hxxp://194[.]31[.]98[.]244/ssh/new/arm
• hxxp://185[.]225[.]73[.]196/ssh/new/arm
• hxxp://185[.]225[.]73[.]196/ssh/new/arm7
• hxxp://185[.]225[.]73[.]196/ssh/new/mips
• hxxp//185[.]225[.]73[.]196/ssh/new/x86

C2

1. 31[.]44[.]185[.]235
2. 2[.]58[.]149[.]116
3. 194[.]31[.]98[.]244
4. 185[.]225[.]73[.]196

Threat Actor SSH Public Key

AAAAB3NzaC1yc2EAAAADAQABAAACAQC/yU0iqklqw6etPlUon4mZzxslFWq8G8sRyluQMD3i8tpQWT2cX/mwGgSRCz7HMLyxt87olYIPemTIRBiyqk8SLD3ijQpfZwQ9vsHc47hdTBfj89FeHJ GGm1KpWg8lrXeMW+5jIXTFmEFhbJ18wc25Dcds4QCM0DvZGr/Pg4+kqJ0gLyqYmB2fdNzBcU05QhhWW6tSuYcXcyAz8Cp73JmN6TcPuVqHeFYDg05KweYqTqThFFHbdxdqqrWy6fNt8q/cgI30 NBa5W2LyZ4b1v6324IEJuxImARIxTc96Igaf30LUza8kbZyc3bewY6IsFUN1PjQJcJi0ubVLyWyyJ554Tv8BBfPdY4jqCr4PzaJ2Rc1JFJYUSVVT4yX2p7L6iRpW212eZmqLMSoR5a2a/tO2s1 giIlb+0EHtFWc2QH7yz/ZBjnun7opIoslLVvYJ9cxMoLeLr5Ig+zny+IEA3x090xtcL62X0jea6btVnYo7UN2BARziisZze6oVuOTCBijuyvOM6ROZ6s/wl4CQAOSLDeFIP5L1paP9V1XLaYLD BAodNaUPFfTxggH3tZrnnU8Dge5/1JNa08F3WNUPM1S1x8L2HMatwc82x35jXyBSp3AMbdxMPhvyYI8v2J1PqJH8OqGTVjdWe40mD2osRgLo1EOfP/SFBTD5VEo95K2ZLQ==

Threat Actor Root User

1. /etc /passwd suhelper:x:0:0::/:
2. /etc /shadow suhelper:$1$1OJBlhUV$E9DMK0xdoZb8W8wVOibPQ/:19185:0:99999:7:::

We hope this post will help you know how to protect your Linux systems from RapperBot Malware. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this. 

• What Is Brute Force Attack
• What Is Brute Force Attack: How You Can Protect From It?
• Connect Raspberry Pi Remotely
• Step By Step Procedure To Enable Key Based Authentication On Raspberry Pi:
• Enable key based authentication on Raspberry Pi