一种名为RapperBot的新型物联 僵尸 络恶意软件正在迅速发展

A new IoT botnet malware dubbed RapperBot has been observed rapidly evolving its capabilities since it was first discovered in mid-June 2022.

自 2022 年 6 月中旬首次发现以来，人们观察到一种名为RapperBot的新型物联 僵尸 络恶意软件正在迅速发展。

“This family borrows heavily from the original Mirai source code, but what separates it from other IoT malware families is its built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai,” Fortinet FortiGuard Labs said in a report.

“这个系列大量借鉴了Mirai 源代码，但它与其他 IoT 恶意软件系列的不同之处在于它内置的功能是暴力破解凭据并获得对 SSH 服务器的访问权限，而不是 Mirai 中实现的 Telnet，”Fortinet FortiGuard 实验室在一份 告中说道。

The malware, which gets its name from an embedded URL to a YouTube rap music video in an earlier version, is said to have amassed a growing collection of compromised SSH servers, with over 3,500 unique IP addresses used to scan and brute-force their way into the servers.

该恶意软件的名称来自早期版本的 YouTube 说唱音乐视频的嵌入式 URL，据说已经积累了越来越多的受感染 SSH 服务器，有超过 3,500 个唯一 IP 地址用于扫描和暴力破解，进入服务器。

RapperBot’s current implementation also delineates it from Mirai, allowing it to primarily function as an SSH brute-force tool with limited capabilities to carry out distributed denial-of-service (DDoS) attacks.

RapperBot 当前的实施也将其与 Mirai 进行了描述，使其主要用作 SSH 暴力破解工具，但执行分布式拒绝服务 (DDoS) 攻击的能力有限。

The deviation from traditional Mirai behavior is further evidenced in its attempt to establish persistence on the compromised host, effectively permitting the threat actor to maintain long-term access long after the malware has been removed or the device has been rebooted.

与传统 Mirai 行为的偏差进一步证明，它试图在受感染的主机上建立持久性，有效地允许攻击者在恶意软件被删除或设备重新启动后很长时间内保持长期访问。

The attacks entail brute-forcing potential targets using a list of credentials received from a remote server. Upon successfully breaking into a vulnerable SSH server, the valid credentials are exfiltrated back to the command-and-control.

这些攻击需要从远程服务器接收到的凭据列表来暴力破解潜在目标。成功侵入易受攻击的 SSH 服务器后，有效凭据将被泄露回C2服务器。

“Since mid-July, RapperBot has switched from self-propagation to maintaining remote access into the brute-forced SSH servers,” the researchers said.

研究人员说：“自 7 月中旬以来，RapperBot 已从自我传播转向维持对暴力 SSH 服务器的远程访问。”

The access is achieved by adding the operators’ SSH public key to a special file called “~/.ssh/authorized_keys,” permitting the adversary to connect and authenticate to the server using the corresponding private private key without having to furnish a password.

访问是通过将运营商的 SSH 公钥添加到一个名为“ ~/.ssh/authorized_keys ”的特殊文件中来实现的，从而允许攻击者使用相应的私钥连接并验证服务器，而无需提供密码。

“This presents a threat to compromised SSH servers as threat actors can access them even after SSH credentials have been changed or SSH password authentication is disabled,” the researchers explained.

研究人员解释说：“这对受损的 SSH 服务器构成了威胁，因为即使在 SSH 凭据已更改或 SSH 密码身份验证被禁用后，攻击者也可以访问它们。”

“Moreover, since the file is replaced, all existing authorized keys are deleted, which prevents legitimate users from accessing the SSH server via public key authentication.”

“此外，由于文件被替换，所有现有的授权密钥都被删除，这会阻止合法用户通过公钥认证访问 SSH 服务器。”

The shift also enables the malware to maintain its access to these hacked devices via SSH, permitting the actor to leverage the foothold to conduct Mirai-styled denial-of-service attacks.

这种转变还使恶意软件能够通过 SSH 保持对这些被黑设备的访问，从而允许攻击者利用立足点进行 Mirai 式的拒绝服务攻击。

These differences from other IoT malware families have had the side-effect of making its primary motivations something of a mystery, a fact further complicated by the fact that RapperBot’s authors have left little-to-no telltale signs of their provenance.

The ditching of self-propagation in favor of persistence notwithstanding, the botnet is said to have undergone significant changes in a short span of time, chief among them being the removal of DDoS attack features from the artifacts at one point, only to be reintroduced a week later.

尽管放弃了自传播而支持持久性，但据说僵尸 络在短时间内经历了重大变化，其中最主要的变化是在某一时刻从工件中移除了DDoS攻击功能，一周后才重新引入。

The objectives of the campaign, ultimately, remain nebulous at best, with no follow-on activity observed post a successful compromise. What’s clear is that SSH servers with default or guessable credentials are being corralled into a botnet for some unspecified future purpose.

最终，这场运动的目标充其量仍然模糊不清，在成功妥协后没有观察到后续活动。显而易见的是，具有默认或可猜测凭据的SSH服务器正被僵尸 络限制，用于某些未指定的未来用途。

To fend off such infections, it’s recommended that users set strong passwords for devices or disable password authentication for SSH where possible.

为了抵御此类攻击，建议用户为设备设置强密码或尽可能禁用 SSH 密码验证。

“Although this threat heavily borrows code from Mirai, it has features that set it apart from its predecessor and its variants,” the researchers said. “Its ability to persist in the victim system gives threat actors the flexibility to use them for any malicious purpose they desire.”

研究人员说：“尽管这种威胁大量借用了 Mirai 的代码，但它具有使其与前身及其变体不同的功能。” “它在受害者系统中持续存在的能力使攻击者可以灵活地将它们用于他们想要的任何恶意目的。”

我有三宝，持而保之：一曰慈，二曰俭，三曰不敢为天下先。

——《道德经.第六十七章》

https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html

翻译水平有限 :(

有歧义的地方，请以原文为准 ：）