New RapperBot Campaign targets game servers with DDoS attacks

Fortinet researchers discovered new samples of RapperBot used to build a botnet to launch Distributed DDoS attacks against game servers.

Fortinet FortiGuard Labs researchers have discovered new samples of the RapperBot malware that are being used to build a DDoS botnet to target game servers.

Researchers from FortiGuard Labs discovered the previously undetected RapperBot IoT botnet in August, and reported that it is active since mid-June 2022. The bot borrows a large portion of its code from the original Mirai botnet, but unlike other IoT malware families, it implements a built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai.

Experts also noticed that the most recent samples include the code to maintain persistence, which is rarely implemented in other Mirai variants.

Earlier samples of the malware had the brute-forcing credential list hardcoded into the binary, but from July the samples started retrieving the list from the C2 server.

Since mid-July, RapperBot started using self-propagation to maintaining remote access into the brute-forced SSH servers. The bot runs a shell command to replace remote victims’ ~/.ssh/authorized_keys with one containing the threat actors’ SSH public key with the comment “helloworld,”

Once stored public keys stored in ~/.ssh/authorized_keys, anyone with the corresponding private key can authenticate the SSH server without supplying a password.

RapperBot is also able to retain its foothold on any devices on which it is executed by appending the same aforementioned SSH key to the local “~/.ssh/authorized_keys” on the infected device upon execution. This allows the malware to maintain its access to these infected devices via SSH even after a device reboot or the removal of RapperBot from the device. 

In early October 2022, the researchers spotted new samples that they believe to be part of a separate campaign to launch Distributed Denial of Service (DDoS) attacks against game servers.

“But once we analyzed these new samples, we observed a significant difference between them and the earlier campaign. In fact, it turns out that this campaign is less like RapperBot than an older campaign that appeared in February and then mysteriously disappeared in the middle of April. Other related campaigns uncovered during this investigation are detailed later in this article.” reads the report published by FortiGuard Labs.

The researchers noticed that the latest variant uses the same C2 network protocol of previous samples, it supports additional commands to support the Telnet brute force. Below is the list of commands and IDs:

• 0x00: Register (used by the client)
• 0x01: Keep-Alive/Do nothing
• 0x02: Stop all DoS attacks and terminate the client
• 0x03: Perform a DoS attack
• 0x04: Stop all DoS attacks
• 0x06: Restart Telnet brute forcing
• 0x07: Stop Telnet brute forcing

The latest samples also implement DoS attacks against the GRE protocol (likely reusing the Mirai source code) and the UDP protocol used by the Grand Theft Auto: San Andreas Multi Player (SA:MP) mod.

The most significant difference in the latest campaign was the complete replacement of the code to carry out SSH brute force attacks with the more usual Telnet equivalent.

“The Telnet brute forcing code is designed primarily for self-propagation and resembles the old Mirai Satori botnet. Unlike the earlier SSH brute-forcing campaign, the plaintext credentials are embedded into the malware instead of being downloaded from the C2.” continues the report.

The list of hardcoded credentials is composed of default credentials associated with IoT devices. The analysis of the prompt messages hardcoded into the malware revealed that the bot mainly targets routers and DVRs. The latest campaign aims at older devices with the Qualcomm MDM9625 chipset, such as LTE modems.

Once it has gained access to the device, it sends the credentials used, the IP address of the compromised device, and its architecture to the C2 server on a separate port, 5123. Then the malware attempts to install the RapperBot payload binary on the compromised device.

“Based on the undeniable similarities between this new campaign and the previously reported RapperBot campaign, it is highly likely that they are being operated by a single threat actor or by different threat actors with access to a privately-shared base source code.” the researchers conclude.

“Unlike the previous RapperBot campaign, this new campaign has a clear motivation to compromise as many IoT devices as possible to build a DDoS botnet.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RapperBot)

[adrotate banner=”5″]

[adrotate banner=”13″]