Jump to content
  • Updated RapperBot malware targets game servers in DDoS attacks

    alf9872000

    • 349 views
    • 3 minutes
     Share


    • 349 views
    • 3 minutes

    The Mirai-based botnet 'RapperBot' has re-emerged via a new campaign that infects IoT devices for DDoS (Distributed Denial of Service) attacks against game servers.

     

    The malware was discovered by Fortinet researchers last August when it used SSH brute-forcing to spread on Linux servers.

     

    By tracing its activities, the researchers found that RapperBot has been operational since May 2021, but its exact goals were hard to decipher.

     

    campaigns.png

    RapperBot campaigns timeline (Fortinet)

     

    The recent variant uses a Telnet self-propagation mechanism instead, which is closer to the approach of the original Mirai malware.

     

    Also, the motivation of the current campaign is more apparent, as the DoS commands in the latest variant are tailored for attacks against servers hosting online games.

    Lifting the lid on RapperBot

    Fortinet analysts could sample the new variant using C2 communication artifacts collected in the previous campaigns, indicating that this aspect of the botnet's operation has not changed.

     

    The analysts noticed the new variant featured several differences, including support for Telnet brute-forcing, using the following commands:

    • Register (used by the client)
    • Keep-Alive/Do nothing
    • Stop all DoS attacks and terminate the client
    • Perform a DoS attack
    • Stop all DoS attacks
    • Restart Telnet brute forcing
    • Stop Telnet brute forcing

     

    The malware tries to brute force devices using common weak credentials from a hardcoded list, whereas previously, it fetched a list from the C2.

     

    "To optimize brute forcing efforts, the malware compares the server prompt upon connection to a hardcoded list of strings to identify the possible device and then only tries the known credentials for that device," explains Fortinet.

     

    "Unlike less sophisticated IoT malware, this allows the malware to avoid trying to test a full list of credentials."

     

    After successfully finding credentials, it reports it to the C2 via port 5123 and then attempts to fetch and install the correct version of the primary payload binary for the detected device architecture.

     

    Currently supported architectures are ARM, MIPS, PowerPC, SH4, and SPARC.

     

    wget.png

    Downloading the ARM payload using wget (Fortinet)

     

    The DoS capabilities in RapperBot's older variant were so limited and generic that the researchers hypothesized its operators might be more interested in the initial access business.

     

    However, in the latest variant, the true nature of the malware has become apparent with the addition of an extensive set of DoS attack commands like:

    • Generic UDP flood
    • TCP SYN flood
    • TCP ACK flood
    • TCP STOMP flood
    • UDP SA:MP flood targeting game servers running GTA San Andreas: Multi Player (SA:MP)
    • GRE Ethernet flood
    • GRE IP flood
    • Generic TCP flood

     

    Based on the HTTP DoS methods, the malware appears to be specialized in launching attacks against game servers.

     

    "This campaign adds DoS attacks against the GRE protocol and the UDP protocol used by the Grand Theft Auto: San Andreas Multi Player (SA:MP) mod," reads Fortinet's report.

     

    Likely the same operators

     

    Fortinet believes all detected RapperBot campaigns are orchestrated by the same operators, as newer variants indicate access to the malware's source code.

    Moreover, the C2 communication protocol remains unchanged, the list of credentials used for brute forcing attempts has been the same since August 2021, and there have been no signs of campaign overlaps at this time.

    To protect your IoT devices from botnet infections, keep the firmware up to date, change default credentials with a strong and unique password, and place them behind a firewall if possible.

     

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...