RapperBot IoT botnet is back with new capabilities that include launching DDoS attacks against game servers. It is heavily influenced by the Mirai botnet and has been active since mid-July.

Significant changes

FortiGuard Labs researchers found new samples of the RapperBot campaign in early October. 
  • It has added the feature to perform Telnet brute force, which is designed primarily for self-propagation. It supports DoS attacks using the Generic Routing Encapsulation (GRE) tunneling protocol.
  • In addition, it supports several DoS attack commands for UDP floods targeting game servers running Grand Theft Auto San Andreas: Multi Player (SA:MP), generic UDP/TCP flood, TCP SYN/ACK flood, GRE IP/Ethernet flood, and others.
  • It targets devices running ARM, MIPS, PowerPC, SH4, and SPARC architectures and specifically checks and halts its self-propagation if the device is running on Intel chipsets.
  • For suitable devices, it downloads and executes the payload binary using software already installed on the compromised device, such as curl, wget, ftpget, and tftp. 
  • If these are not present, it fetches its own downloader on the infected device, which further downloads the primary payload.

More additions

  • In an earlier SSH brute-forcing campaign, the operators were retrieving the list of hard-coded plaintext credentials from a C2 server to gain root access to IoT devices. However, the recent samples have these credentials embedded into the malware binary.
  • The credentials used for a successful break-in are reported back to the C2 server and then, the malware attempts to install its main payload binary on the compromised device.

The journey of RapperBot

  • According to the researchers, the RapperBot operators launched the campaign in December 2021 and added the SA:MP attack in February. It was active from February to April and then mysteriously disappeared.
  • Moreover, the recent RapperBot campaign overlaps with other operations involving the malware as far back as May 2021.
  • The older samples from another campaign were found between August and September 2021, with an almost identical list of credentials. The Telnet spreader module was added in August 2021, however, it was removed in later samples and reintroduced recently.

Conclusion

According to the researchers, the RapperBot campaign is likely being operated by threat actors who have access to a privately-shared source code base. It has evolved significantly from previous campaigns and the degree of effort in optimizing the brute-force implementation shows it is persistent and capable of launching high-scale campaigns.
Cyware Publisher

Publisher

Cyware