Cybercriminals continuously develop their skills and tools, looking for new ways to compromise individuals and companies. Kaspersky has explored uncommon infection methods used by attackers in its recent Securelist blogpost. Alongside other discoveries, it features RapperBot, a Mirai-based worm that infects IoT devices with the ultimate goal of launching DDoS attacks against non-HTTP targets. Other methods mentioned in the blogpost includes an information stealer Rhadamanthys, and CUEMiner, based on open-source malware presumably distributed through BitTorrent and One Drive.
The RapperBot was first observed in June 2022, when it was used to target Secure Shell protocol (SSH), considered to be a secure way to communicate files since it uses encrypted communication – comparing to Telnet services that transfers data in a form of a plain text. However, the latest version of RapperBot removed SSH functionality and now focuses exclusively on Telnet and with quite some success. In Q4 2022, RapperBot infection attempts reached 112,000 users from more than 2,000 unique IP addresses.
What sets RapperBot apart from other worms is its “intelligent” way of brute forcing: it checks the prompt and based on the prompt selects the appropriate credentials. This method speeds up the brute forcing process significantly as it doesn’t have to go over a huge list of credentials. In December 2022, the Top-3 countries with the highest number of devices infected by RapperBot were Taiwan, South Korea, and the United States.
Another new malware family described in the Kaspersky’s blogpost is a CUEMiner, based on an open-source malware that first appeared on Github in 2021. The latest version was discovered in October 2022, and includes a miner itself and a so-called “watcher”. This program monitors a system while a heavy process, such as a videogame, is launched on a computer of a victim.
During the investigation of CUEMiner, Kaspersky noticed two methods of spreading the malware. The first is via trojanized cracked software downloaded via BitTorrent. The other method is via trojanized cracked software that is downloaded from OneDrive sharing networks. Since there are no direct links available at the time of publication, it remains unclear how victims are lured into downloading these cracked packages. Nevertheless, many crack sites these days do not immediately provide downloads. Instead they point to Discord server channels for further discussion. This suggests some form of human interaction and social engineering.
Such “open source” malware is very popular among amateur or unskilled cybercriminals since it allows them to conduct massive campaigns – CUEMiner victims are currently found all over the world, some within enterprise networks. The largest number of victims within KSN telemetry have been in Brazil, India, and Turkey.
Finally, the Kaspersky blogpost provides new information on Rhadamanthys, an information stealer that uses Google Advertising as a means of distributing and delivering malware. It was already featured on Securelist in March 2023, but since then, it has been uncovered that Rhadamanthys has a strong connection to Hidden Bee miner, aimed directly at cryptocurrency mining. Both samples use images to hide the payload inside and have similar shellcodes for bootstrapping. Additionally, both use “in-memory virtual file systems” and utilize Lua language to load plugins and modules.
“Open-source malware, code reuse and rebranding are widely used by cybercriminals. It means that even less skilled attackers can now perform large-scale campaigns and target victims around the globe. Moreover, malvertising is becoming a hot trend as it is already highly demanded among malware groups. To avoid such attacks and protect your company from being compromised, it’s important to be aware of what is going on in cybersecurity, and use the latest protection tools available,” comments Jornt van der Wiel, senior security researcher, GReAT at Kaspersky.
