The Mirai-based ‘RapperBot’ botnet has resurfaced through a new campaign infecting IoT devices for DDoS (Distributed Denial of Service) attacks against game servers.
The malware was discovered by Fortinet researchers last August when they forced SSH to spread on Linux servers.
When tracking its activities, the researchers would prefer that RapperBot had been operational since May 2021, but its exact targets were difficult to decipher.
Instead, the recent variant uses a Telnet self-propagation mechanism, which is closer to the approach of the original Mirai malware.
Furthermore, the motivation of the current campaign is more apparent, as the DoS commands in the latest variant are designed for attacks against servers hosting online games.
Lifting the lid on RapperBot
Fortinet analysts can test the new variant using C2 communication artifacts collected from previous campaigns, indicating that this aspect of the botnet’s operation has not changed.
Analysts noted that the new variant had several differences, including support for Telnet brute force, using the following commands:
Registry (used by the client)
Keep alive / Do nothing
Stop all DoS attacks and end the client
Perform a DoS attack
Stop all DoS attacks
Telnet brute force restart
Stop Telnet brute force
The malware attempts to brute force devices using common weak credentials from a hardcoded list, whereas previously it obtained a C2 list.
“To optimize brute force efforts, the malware compares the server’s flag when connecting to a hardcoded list of strings to identify the possible device, and then only tries the known credentials for that device,” Fortinet explains.
“Unlike less sophisticated IoT malware, this allows the malware to avoid attempting to test an entire list of credentials.”
After successfully finding the credentials, it reports it to C2 over port 5123 and then tries to get and install the correct version of the main payload binary for the discovered device architecture.
Currently supported architectures are ARM, MIPS, PowerPC, SH4, and SPARC.
The DoS in the previous RapperBot variant was so limited and generic that the researchers hypothesized that its operators might be more interested in the early access business.
However, in the latest variant, the true nature of the malware became apparent with the addition of a comprehensive set of DoS attack commands such as:
Generic UDP flood
TCP SYN flood
TCP ACK flood
TCP STOMP flood
UDP SA:MP flood targeting game servers running GTA San Andreas: Multiplayer (SA:MP)
GRE Ethernet Flood
GRE IP Flood
Generic TCP flood
Based on HTTP DoS methods, the malware seems to be specialized in launching attacks against game servers.
“This campaign adds DoS attacks against the GRE protocol and UDP protocol used by the Grand Theft Auto: San Andreas Multi Player (SA:MP) mod,” the Fortinet report reads.
probably the same operators
Fortinet believes that all detected RapperBot campaigns are orchestrated by the same operators, as newer variants indicate access to the malware’s source code.
Additionally, the C2 communication protocol remains unchanged, the list of credentials used for brute force attempts has been the same since August 2021, and there have been no signs of campaign overlap at this time.
To protect your IoT devices from botnet infections, keep firmware up to date, change default credentials with a strong and unique password, and place them behind a firewall if possible.
