Threat hunters at Fortinet have discovered a new botnet called “RapperBot” that brute-forces its way into Linux SSH servers.

The botnet has used more than 3,500 unique IP addresses worldwide to scan and brute-force Linux SSH servers since it was first used in attacks in mid-June 2022.

RapperBot was discovered after researchers noticed that the IoT malware had some unusual SSH-related strings. Further research shows that RapperBot is a Mirai fork that comes with its own command and control (C2) protocol, unique features and atypical (for a botnet) post-compromise activity.

To brute-force SSH, the botnet relies on a list of credentials downloaded from the C2 via host-unique TCP requests, which are reported back to the C2 after intrusion.

“Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR,” the Fortinet report states.

The goal of RapperBot, however, remains unknown, as the authors kept its DDoS functionality limited and even removed an re-introduced them at some point.

However, the elimination of self-propagation and the addition of persistence and detection avoidance mechanisms show that the operators of the botnet might be interested in selling initial access to ransomware actors.

The sources for this piece include an article in BleepingComputer.