Woburn, MA – April 13, 2023 – Today Kaspersky released research findings related to RapperBot, a Mirai-based worm that infects IoT devices with the ultimate goal of launching DDoS attacks against non-HTTP targets. The research is part of the new Kaspersky Crimeware Report: Uncommon Infection Methods. The report also features other unique discoveries, including Rhadamanthys, an information stealer that distributes through Google Advertising, and the open-source-based CUEMiner, which was presumably distributed through BitTorrent and One Drive.
Cybercriminals continuously develop their skills and tools, looking for new ways to compromise individuals and companies. Kaspersky has explored the most uncommon infection methods used by attackers for its latest report.
Researchers first observed RapperBot in June 2022, when it was used to target Secure Shell protocol (SSH), which is considered to be a secure way to communicate files since it uses encryption. However, the latest version of RapperBot removed SSH functionality and now focuses exclusively on Telnet with some success. In Q4 2022, RapperBot infection attempts reached 112,000 users from more than 2,000 unique IP addresses.
What sets RapperBot apart from other worms is its “intelligent” way of brute forcing: it checks the prompt and selects the appropriate type of credentials accordingly. This method speeds up the brute forcing process significantly, since it can go through a shorter list of credentials. In December 2022, the three countries with the highest number of devices infected by RapperBot were Taiwan, South Korea, and the United States.
Another new malware family described in the report is CUEMiner, based on an open-source malware that first appeared on Github in 2021. The latest version was discovered in October 2022, and includes a miner as well as a so-called “watcher.” This program monitors a system while a heavy process, such as a videogame, is launched on a victim’s computer.
During the investigation of CUEMiner, Kaspersky noticed two methods of spreading the malware. The first is via trojanized, cracked software downloaded via BitTorrent. The other method is via trojanized, cracked software that is downloaded from OneDrive sharing networks. Since there were no direct links available at the time of publication, it remains unclear how victims are lured into downloading these cracked packages. Nevertheless, many crack sites these days do not immediately provide downloads. Instead they point to Discord server channels for further discussion. This suggests some form of human interaction and social engineering.
Such open-source malware is very popular among amateur cybercriminals since it allows them to conduct massive campaigns. CUEMiner victims are currently found all over the world, some within enterprise networks. The largest number of victims within KSN telemetry have been in Brazil, India, and Turkey.
Finally, the Kaspersky blogpost provides new information on Rhadamanthys, an information stealer that uses Google Advertising as a means of distributing and delivering malware. It was already featured in Securelist in March 2023, but since then, it has been uncovered that Rhadamanthys has a strong connection to Hidden Bee miner, aimed directly at cryptocurrency mining. Both samples use images to hide the payload inside and have similar shellcodes for bootstrapping. Additionally, both use “in-memory virtual file systems” and utilize Lua language to load plugins and modules.
“Open-source malware, code reuse and rebranding are widely used by cybercriminals,” said Jornt van der Wiel, senior security researcher, GReAT at Kaspersky. “It means that even less skilled attackers can now perform large-scale campaigns and target victims around the globe. Moreover, malvertising is becoming a hot trend as it is already highly demanded among malware groups. To avoid such attacks and protect your company from being compromised, it’s important to be aware of what is going on in cybersecurity, and use the latest protection tools available.”
Learn more about the new infection methods and techniques used by cybercriminals on Securelist.
To protect yourself and your business from ransomware attacks, consider the following suggestions:
- Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
- Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
- Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to the outgoing traffic to detect cybercriminals' connections.
- Back up data regularly. Make sure you can quickly access it in an emergency when needed.
- Use solutions like Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response service which help to identify and stop the attack on early stages, before attackers reach their final goals.
- Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors. The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for 25 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.
About Kaspersky
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments, and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies, and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Media Contact
Sawyer Van Horn
sawyer.vanhorn@Kaspersky.com
(781) 503-1866
