RapperBot

New samples of the RapperBot malware have been found by security researchers at Fortinet FortiGuard Labs. Threat actors are using these samples to create a DDoS botnet that targets gaming servers in order to launch DDoS attacks on them.

RapperBot is a Mirai-based botnet and as of May 2021, this botnet has been operational, but it is difficult to determine the exact goals it is trying to achieve.

The latest variant of RapperBot uses a Telnet-based mechanism for self-propagation. A similar approach was used by the original Mirai malware to propagate itself, and the use of this mechanism closely mimics that approach.

RapperBot Profile

  • Affected Platforms: Linux
  • Impacted Users: Any organization
  • Impact: Remote attackers gain control of the vulnerable systems
  • Severity Level: Critical

The DoS commands that are present in the latest version of the botnet are specifically designed to attack servers hosting online games. As a result, it is clearer to see what motivated the current campaign to be set up in the first place, Fortinet reported.

Several C2 communication artifacts have also been found in the newly discovered variant, indicating that this aspect of the operation of the botnet is unchanged from past campaigns.

Newly Added Commands

We have listed below an overview of the additional commands that have been added to support Telnet brute force attacks:-

  • 0x00: Register (used by the client)
  • 0x01: Keep-Alive/Do nothing
  • 0x02: Stop all DoS attacks and terminate the client
  • 0x03: Perform a DoS attack
  • 0x04: Stop all DoS attacks
  • 0x06: Restart Telnet brute forcing
  • 0x07: Stop Telnet brute forcing

Technical Analysis

As opposed to before, the malware retrieves a list of weak credentials from the C2 server to brute force devices using common weak credentials.

The malware can avoid testing a full list of credentials with the use of this technique, compared to other less sophisticated IoT malware.

A successful credential find is reported to C2 through port 5123 once the credentials have been found. After that, the primary payload binary is fetched and installed according to the device architecture detected.

Due to the addition of extensive DoS attack commands to the latest variant, it has been determined what this malware really is with the addition of commands such as:-

  • 0x00: Generic UDP flood
  • 0x01: TCP SYN flood
  • 0x02: TCP ACK flood
  • 0x03: TCP STOMP flood
  • 0x04: UDP SA:MP flood targeting game servers running GTA San Andreas: Multi Player (SA:MP)
  • 0x05: GRE Ethernet flood
  • 0x06: GRE IP flood
  • 0x07: Generic TCP flood

The above-mentioned commands are supported by the botnet and are used to launch DoS attacks. The malware appears to be specifically targeted at servers that host online video games based on its use of HTTP DoS methods.

Recommendations

As a precaution against botnet infections on your IoT devices, you must follow the recommendations that we have listed below to prevent them from being infected:-

  • Make sure your firmware is up-to-date at all times
  • Replace the default credentials with a secure, unique password that is strong and difficult to guess
  • Frequently change your passwords.
  • Make sure to use a reputed and robust antivirus.
  • If possible, place IoT devices behind a firewall so that they are protected.

Also Read: Penetration Testing As a Service – Download Red Team & Blue Team Workspace

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.