Kaspersky has explored uncommon infection methods used by attackers in its recent Securelist blogpost. Alongside other discoveries, it features RapperBot, a Mirai-based worm that infects IoT devices with the ultimate goal of launching DDoS attacks against non-HTTP targets. Other methods mentioned in the blogpost includes an information stealer Rhadamanthys, and CUEMiner, based on open-source malware presumably distributed through BitTorrent and One Drive.
The RapperBot was first observed in June 2022, when it was used to target Secure Shell protocol (SSH), considered to be a secure way to communicate files since it uses encrypted communication – comparing to Telnet services that transfers data in a form of a plain text. However, the latest version of RapperBot removed SSH functionality and now focuses exclusively on Telnet and with quite some success. In Q4 2022, RapperBot infection attempts reached 112,000 users from more than 2,000 unique IP addresses.
What sets RapperBot apart from other worms is its “intelligent” way of brute forcing: it checks the prompt and based on the prompt selects the appropriate credentials. This method speeds up the brute forcing process significantly as it doesn’t have to go over a huge list of credentials. In December 2022, the Top-3 countries with the highest number of devices infected by RapperBot were Taiwan, South Korea, and the United States.
Another new malware family described in the Kaspersky’s blogpost is a CUEMiner, based on an open-source malware that first appeared on Github in 2021. The latest version was discovered in October 2022, and includes a miner itself and a so-called “watcher”. This program monitors a system while a heavy process, such as a videogame, is launched on a computer of a victim.
During the investigation of CUEMiner, Kaspersky noticed two methods of spreading the malware. The first is via trojanized cracked software downloaded via BitTorrent. The other method is via trojanized cracked software that is downloaded from OneDrive sharing networks. Since there are no direct links available at the time of publication, it remains unclear how victims are lured into downloading these cracked packages. Nevertheless, many crack sites these days do not immediately provide downloads. Instead they point to Discord server channels for further discussion. This suggests some form of human interaction and social engineering.
Such “open source” malware is very popular among amateur or unskilled cybercriminals since it allows them to conduct massive campaigns - CUEMiner victims are currently found all over the world, some within enterprise networks. The largest number of victims within KSN telemetry have been in Brazil, India, and Turkey.
Finally, the Kaspersky blogpost provides new information on Rhadamanthys, an information stealer that uses Google Advertising as a means of distributing and delivering malware. It was already featured on Securelist in March 2023, but since then, it has been uncovered that Rhadamanthys has a strong connection to Hidden Bee miner, aimed directly at cryptocurrency mining. Both samples use images to hide the payload inside and have similar shellcodes for bootstrapping. Additionally, both use “in-memory virtual file systems” and utilize Lua language to load plugins and modules.
“Open-source malware, code reuse and rebranding are widely used by cybercriminals. It means that even less skilled attackers can now perform large-scale campaigns and target victims around the globe. Moreover, malvertising is becoming a hot trend as it is already highly demanded among malware groups. To avoid such attacks and protect your company from being compromised, it’s important to be aware of what is going on in cybersecurity, and use the latest protection tools available,” comments Jornt van der Wiel, senior security researcher, GReAT at Kaspersky.
Learn more about the new infection methods and techniques used by cybercriminals on Securelist.
To protect yourself and your business from ransomware attacks, consider following the rules proposed by Kaspersky:
- Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
- Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
- Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to the outgoing traffic to detect cybercriminals' connections.
- Back up data regularly. Make sure you can quickly access it in an emergency when needed.
- Use solutions like Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response service which help to identify and stop the attack on early stages, before attackers reach their final goals.
- Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors. The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for 25 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.
-Ends-
About Kaspersky
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.