RapperBot Malware Borrows from Mirai Botnet
RapperBot is the name of a piece of malware discovered by researchers with FortiGuard Labs.
The new bot malware is based on code from the infamous Mirai botnet and has been described as "rapidly evolving". The chief difference that sets RapperBot apart from Mirai is its ability to crack credentials using a brute-force method and access SSH servers, while Mirai was scanning for open Telnet ports.
Another big difference is RapperBot's newly added features that allow it to achieve persistence on the compromised devices, thus allowing access even after the devices are rebooted, even after the core of the malware has been removed.
RapperBot, much like Mirai, scans huge numbers of Internet-exposed devices, looking for SSH servers that accept passwords. The malware pulls its brute force list from its command and control servers, allowing the botnet operators to expand that list over time without needing to push code updates to the malware payload.
Persistence is achieved by adding an SSH key to ~/.ssh/authorized_keys, which allows access to those devices after a hard reboot of the device or even after the malware is removed.
Researchers pointed out the curious obsession of RapperBot for maintaining a foothold on devices that have been infected. In fact, RapperBot chooses this sort of stubborn persistence over self-propagation, as the self-propagation capability of the malware was removed in a June update.