Fresh RapperBot Malware Variant Brute-Forces Its Way Into SSH Servers

Over the past few weeks, a Mirai variant appears to have made a pivot from infecting new servers to maintaining remote access.

Dark Reading Staff, Dark Reading

August 5, 2022

1 Min Read
Silhouette of a b-boy striking a pose amid stage smoke
Source: Albert Shakirov via Alamy Stock Photo

Tracked by analysts since mid-June, RapperBot malware has spread through brute-force attacks on SSH servers. The IoT botnet targets devices running on ARM, MIPS, SCARC, and x86 architectures, researchers warn.

The malware is a Mirai variant with a few notable, novel features, including ditching the typical Telnet server brute-force approach in favor of attacking SSH servers instead. Fortinet Labs analysts said that since July, RapperBot has changed up its approach from infecting as many servers as possible to maintaining remote access to those compromised SSH servers.

The malware gets its name from a URL that led to a YouTube rap video in early versions, the researchers explained.

"Due to some significant and curious changes that RapperBot has undergone, its primary motivation is still a bit of a mystery," the Fortinet advisory on RapperBot said. "Regardless, since its primary propagation method is brute forcing SSH credentials, this threat can easily be mitigated by setting strong passwords for devices or disabling password authentication for SSH (where possible)."

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights