The Mirai-based botnet ‘RapperBot’ has re-emerged via a new campaign that infects IoT devices for DDoS (Distributed Denial of Service) attacks against game servers.
The malware was discovered by Fortinet researchers last August when it used SSH brute-forcing to spread on Linux servers.
By tracing its activities, the researchers found that RapperBot has been operational since May 2021, but its exact goals were hard to decipher.
RapperBot campaigns timeline (Fortinet)
The recent variant uses a Telnet self-propagation mechanism instead, which is closer to the approach of the original Mirai malware.
Also, the motivation of the current campaign is more apparent, as the DoS commands in the latest variant are tailored for attacks against servers hosting online games.
Lifting the lid on RapperBot
Fortinet analysts could sample the new variant using C2 communication artifacts collected in the previous campaigns, indicating that this aspect of the botnet’s operation has not changed.
The analysts noticed the new variant featured several differences, including support for Telnet brute-forcing, using the following commands:
- Register (used by the client)
- Keep-Alive/Do nothing
- Stop all DoS attacks and terminate the client
- Perform a DoS attack
- Stop all DoS attacks
- Restart Telnet brute forcing
- Stop Telnet brute forcing
The malware tries to brute force devices using common weak credentials from a hardcoded list, whereas previously, it fetched a list from the C2.
“To optimize brute forcing efforts, the malware compares the server prompt upon connection to a hardcoded list of strings to identify the possible device and then only tries the known credentials for that device,” explains Fortinet.
“Unlike less sophisticated IoT malware, this allows the malware to avoid trying to test a full list of credentials.”
After successfully finding credentials, it reports it to the C2 via port 5123 and then attempts to fetch and install the correct version of the primary payload binary for the detected device architecture.
Currently supported architectures are ARM, MIPS, PowerPC, SH4, and SPARC.
Downloading the ARM payload using wget (Fortinet)
The DoS capabilities in RapperBot’s older variant were so limited and generic that the researchers hypothesized its operators might be more interested in the initial access business.
However, in the latest variant, the true nature of the malware has become apparent with the addition of an extensive set of DoS attack commands like:
- Generic UDP flood
- TCP SYN flood
- TCP ACK flood
- TCP STOMP flood
- UDP SA:MP flood targeting game servers running GTA San Andreas: Multi Player (SA:MP)
- GRE Ethernet flood
- GRE IP flood
- Generic TCP flood
Based on the HTTP DoS methods, the malware appears to be specialized in launching attacks against game servers.
“This campaign adds DoS attacks against the GRE protocol and the UDP protocol used by the Grand Theft Auto: San Andreas Multi Player (SA:MP) mod,” reads Fortinet’s report.
Likely the same operators
Fortinet believes all detected RapperBot campaigns are orchestrated by the same operators, as newer variants indicate access to the malware’s source code.
Moreover, the C2 communication protocol remains unchanged, the list of credentials used for brute forcing attempts has been the same since August 2021, and there have been no signs of campaign overlaps at this time.
To protect your IoT devices from botnet infections, keep the firmware up to date, change default credentials with a strong and unique password, and place them behind a firewall if possible.