A new version of a Mirai variant called RapperBot is the latest example of malware using relatively uncommon or previously unknown infection vectors to try and spread widely.

RapperBot first surfaced last year as Internet of Things (IoT) malware containing large chunks of Mirai source code but with some substantially different functionality compared with other Mirai variants. The differences included the use of a new protocol for command-and-control (C2) communications and a built-in feature for brute-forcing SSH servers rather than Telnet services, as is common in Mirai variants.

Constantly Evolving Threat

Researchers from Fortinet tracking the malware last year observed its authors regularly altering the malware, first by adding code to maintain persistence on infected machines even after a reboot, and then with code for self-propagation via a remote binary downloader. Later, the malware authors removed the self-propagation feature and added one that allowed them persistent remote access to brute-forced SSH servers.

In the fourth quarter of 2022, Kaspersky's researchers discovered a new RapperBot variant circulating in the wild, where the SSH brute-force functionality had been removed and replaced with capabilities for targeting telnet servers.

Kaspersky's analysis of the malware showed it also integrated what the security vendor described as an "intelligent" and somewhat uncommon feature for brute-forcing telnet. Rather than brute-forcing with a huge set of credentials, the malware checks the prompts received when it telnets to a device — and based on that, selects the appropriate set of credentials for a brute-force attack. That significantly speeds up the brute-forcing process compared with many other malware tools, Kaspersky said.

"When you telnet to a device, you typically get a prompt," says Jornt van der Wiel, a senior security researcher at Kaspersky. The prompt can reveal some information that RapperBot uses to determine the device it's targeting and which credentials to use, he says.

Depending on the IoT device that is targeted, RapperBot uses different credentials, he says. "So, for device A, it uses user/password set A; and for device B, it uses user/password set B," van der Wiel says.

The malware then uses a variety of possible commands, such as "wget," "curl," and "ftpget" to download itself on the target system. If these methods don't work, the malware uses a downloader and installs itself on the device, according Kaspersky.

RapperBot's brute-force process is relatively uncommon, and van der Weil says he can't name other malware samples that use the approach.

Even so, given the sheer number of malware samples in the wild, it's impossible to say if it is the only malware currently using this approach. It's likely not the first piece of malicious code to use the technique, he says.

New, Rare Tactics

Kaspersky pointed to RapperBot as one example of malware employing rare and sometimes previously unseen techniques to spread.

Another example is "Rhadamanthys," an information stealer available under a malware-as-a-service option on a Russian language cybercriminal forum. The info stealer is one among a growing number of malware families that threat actors have begun distributing via malicious advertisements.

The tactic involves adversaries planting malware-laden advertisements or ads with links to phishing sites on online ad platforms. Often the ads are for legitimate software products and applications and contain keywords that ensure they surface high on search engine results or when users browse certain websites. In recent months, threat actors have used such so-called malvertisements to target users of widely used password managers such as LastPass, Bitwarden, and 1Password.

The growing success that threat actors have had with malvertising scams is spurring an increase in the use of the technique. The authors of Rhadamanthys, for instance, initially used phishing and spam emails before switching to malicious advertisements as the initial infector vector.

"Rhadamanthys doesn’t do anything different from other campaigns using malvertising," van der Weil says. "It is, however, part of a trend that we see malvertising is becoming more popular."

Another trend Kaspersky has spotted: the growing use of open source malware among less-skilled cybercriminals.

Take CueMiner, a downloader for coin-mining malware available on GitHub. Kaspersky's researchers have observed attackers distributing the malware using Trojanized versions of cracked apps downloaded via BitTorrent or from OneDrive sharing networks.

"Due to its open source nature, everybody can download and compile it," van der Weil explains. "As these users are typically not very advanced cybercriminals, they have to rely on relatively simple infection mechanisms, such as BitTorrent and OneDrive."