Cybercriminals are constantly evolving their skills and tools, looking for new ways to raid individuals and businesses. In a recent Securelist blog post, Kaspersky explored unusual infection methods used by attackers. One of the discoveries is called RapperBot, a Mirai-based worm that infects IoT devices with the ultimate goal of launching DDoS attacks against non-HTTP targets. Other methods mentioned in the blog post include information stealer Rhadamanthys and CUEMiner, based on open source malware believed to be distributed via BitTorrent and OneDrive.
The RapperBot was first sighted in June 2022 when it targeted the Secure Shell protocol (SSH). This is considered a secure way to transfer files because it uses encrypted communication, unlike Telnet services that send data in plain text form. However, the latest version of RapperBot has removed the SSH functionality and now focuses solely on Telnet, and with quite a bit of success. In Q4 2022, RapperBot’s infection attempts reached 112,000 users from over 2,000 unique IP addresses.
What sets RapperBot apart from other worms is its “intelligent” way of brute forcing: it checks the prompt and selects the correct credentials accordingly. This method greatly speeds up the brute-forcing process because it doesn’t have to go through a huge list of credentials. As of December 2022, the top 3 countries with the highest number of devices infected by RapperBot were Taiwan, South Korea, and the United States.
Another new family of malware described in Kaspersky’s blog post is CUEMiner, based on an open-source malware that first appeared on Github in 2021. The latest version was discovered in October 2022, and contains a miner and a so-called ‘watcher’. This program monitors a system while a heavy process such as a video game is being launched on a victim’s computer.
While investigating CUEMiner, Kaspersky found two methods of spreading the malware. The first is via trojanized cracked software downloaded via BitTorrent. The other method is via trojanized cracked software downloaded from OneDrive sharing networks. Since no direct links are available at time of publication, it remains unclear how victims are lured into downloading these cracked packages. Still, many crack sites today do not offer direct downloads. Instead, they refer to Discord server channels for further discussion. This suggests a form of human interaction and social engineering.
Such “open source” malware is very popular among amateur or unskilled cybercriminals because it allows them to conduct large-scale campaigns. CUEMiner victims can currently be found all over the world, some within corporate networks. The largest number of victims within Kaspersky Security Network telemetry are in Brazil, India and Turkey.
Finally, the Kaspersky blog post provides new information about Rhadamanthys, an information thief who uses Google Advertising as a means to distribute and deliver malware. It was already listed on Securelist in March 2023, but it has since come to light that Rhadamanthys has a strong connection with Hidden Bee miner, aimed directly at cryptocurrency mining. Both monsters use graphics to hide the payload and have similar bootstrapping shell codes. In addition, both use in-memory virtual file systems and Lua language to load plugins and modules.
“Open source malware, code reuse and rebranding are widely used by cybercriminals. This means that even less experienced attackers can now launch large-scale campaigns and target victims all over the world. Moreover, malvertising is becoming a hot trend as is already in high demand among malware groups. To prevent such attacks and protect your business from attacks, it is important to be up to date with what is going on in the field of cybersecurity and use the latest security tools available.” said Jornt van der Wiel, senior security researcher, GReAT at Kaspersky.
Learn more about the new infection methods and techniques cybercriminals are using on Securelist.
READ ALSO: Research Cisco: Small businesses struggle most with cybersecurity
READ ALSO: Research Cisco: only 8% of Dutch organizations are prepared for cyber threats