RapperBot malware targeting game servers via DDOS attacks

A malware linked to Mirai has re-emerged as ‘RapperBot’ in a new campaign that targets IoT devices for DDOS attacks on Game Servers. The Fortinet has discovered this RapperBot malware in August when the malware started using SSH brute-force to  distribute Linux servers.

After tracking the activities, the researchers have found that the RapperBot malware is active since May 2021, but the motive is hard to figure out. The recent variant is found to be using self-propagation mechanism just like the original Mirai-botnet malware.

Also, the DOS command in this latest RapperBot malware are tailored for attacks against game servers.

Diving deep into the RapperBot malware

As per the Fortinet analysis the latest variant is using C2 communication, and has some new variations including support for Telnet brute-forcing by following the below commands,

• Register
• Keep-alive
• Hold DOS attacks & terminate client
• Execute a DOS attack
• Stop all DOS attacks
• Resume Telnet brute forcing
• Stop Telnet brute forcing

The RapperBot malware brute force device using weak credentials from a hardcoded list as per the data from the C2.

“To optimize brute forcing efforts, the malware compares the server prompt upon connection to a hardcoded list of strings to identify the possible device and then only tries the known credentials for that device,”Unlike less sophisticated IoT malware, this allows the malware to avoid trying to test a full list of credentials.”said Fortinet in their report.

Once the RapperBot malware marks the credentials, it reports the same to the C2 via 5123 port and then installs the latest payload binary on the device. RapperBot malware currently supports MIPS, PowerPC, SH4 and SPARC.

The RapperBot malware’s old version had limited DOS capabilities but the latest variant comes extensive DOS commands including TCP SYN flood, Generic UDP flood, GRE Ethernet flood, UDP SA: MP flood targeting GTA game servers, TCP ACK flood, GRE IP flood, Generic TCP flood, and TCP STOMP flood.

The RapperBot malware has techniques and capabilities to target game servers, as it add DOS attacks against the UDP and GRE protocol used by GTA SanAndreas MP mod.

RapperBot malware operated  by the same entities

Fortinet believe the RapperBot malware and its campaign is created, maintained and operated by the same entities with similarity in source codes including C2 communication.

If you want to keep your IoT devices safe against RapperBot malware, keep the firmware updated, modify your credentials periodically with a strong password practices, and employ a strong firewall.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter.

You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.