Cybercriminals are constantly evolving their skills and tools, looking for new ways to ambush individuals and businesses. In a recent Securelist blog post, Kaspersky examined unusual infection methods used by attackers. One discovery is called RapperBot, a Mirai-based worm that infects IoT devices with the ultimate goal of launching DDoS attacks against non-HTTP targets. Other methods mentioned in the blog post include an information stealer Rhadamanthys and CUEMiner, based on open source malware believed to be distributed via BitTorrent and OneDrive.
RapperBot was first observed in June 2022, when it targeted the Secure Shell protocol (SSH). This is considered a secure way to send files because it uses encrypted communication, unlike Telnet services that send data in the form of plain text. However, the latest version of RapperBot removed the SSH functionality and now focuses exclusively on Telnet, and with quite a bit of success. In Q4 2022, RapperBot's infection attempts reached 112,000 users from more than 2,000 unique IP addresses.
What sets RapperBot apart from other worms is its "intelligent" method of brute forcing: it checks the prompt and selects the appropriate credentials based on that. This method significantly speeds up the brute-forcing process because it does not have to go through a huge list of credentials. In December 2022, the top three countries with the highest number of devices infected by RapperBot were Taiwan, South Korea and the United States.
Another new malware family described in Kaspersky's blog post is CUEMiner, based on an open-source malware that first appeared on Github in 2021. The latest version was discovered in October 2022, and includes a miner and a so-called "watcher. This program monitors a system while a heavy process, such as a video game, is started on a victim's computer.
While investigating CUEMiner, Kaspersky noted two methods of spreading the malware. The first is via trojanized cracked software downloaded via BitTorrent. The other method is via trojanized cracked software downloaded from OneDrive sharing networks. With no direct links available at the time of publication, it remains unclear how victims are lured into downloading these cracked packages. Still, many crack sites these days do not offer downloads directly. Instead, they refer to Discord server channels for further discussion. This suggests some form of human interaction and social engineering.
Such "open source" malware is very popular among amateur or untrained cybercriminals because it allows them to conduct large-scale campaigns. CUEMiner victims can currently be found all over the world, some within corporate networks. The largest number of victims within Kaspersky Security Network's telemetry is in Brazil, India and Turkey.
Finally, the Kaspersky blog post provides new information about Rhadamanthys, an information stealer that uses Google Advertising as a means to spread and deliver malware. It was mentioned on Securelist back in March 2023, but it has since come to light that Rhadamanthys has a strong connection to Hidden Bee miner, aimed directly at cryptocurrency mining. Both samples use images to hide the payload and have similar shellcodes for bootstrapping. In addition, both use "in-memory virtual file systems" and Lua language to load plugins and modules.