Fortinet researchers have detailed a new campaign of the RapperBot gang, which is now targeting IoT devices for conducting DoS attacks against game servers.
In their latest report, researchers noted RapperBot being upgraded to use Telnet-based brute-forcing attacks, similar to Mirai botnet. And with the same C2, malware source code, and other similar metrics, researchers linked the current campaign operators to the past ones.
RapperBot Modus Operandi
The first impressions of RapperBot were seen in a mid-last year, where Fortinet researchers said in a report that it’s closely working like the Mirai botnet. Well, after a year and a half, the RapperBot is upgraded to use Telnet brute-forcing for its operations.
This is what Mirai botnet does, too, to make their brute force attacks more effective. Using Telnet, researchers said the new botnet variant can perform a DoS attack using the following command sequence;
- Register (used by the client)
- Keep-Alive/Do nothing
- Stop all DoS attacks and terminate the client
- Perform a DoS attack
- Stop all DoS attacks
- Restart Telnet brute forcing
- Stop Telnet brute forcing
While the original RapperBot was crafted so clueless that researchers were not able to find out its real purpose. But now, the gang’s actual business interest has been determined – to conduct Denial of Service attacks against game servers! As noted in the report, the new variant of RapperBot can do the following;
- Generic UDP flood
- TCP SYN flood
- TCP ACK flood
- TCP STOMP flood
- UDP SA:MP flood targeting game servers running GTA San Andreas: Multi Player (SA:MP)
- GRE Ethernet flood
- GRE IP flood
- Generic TCP flood
With similar malware source code, C2 protocol, and the list of credentials used for brute forcing attempts similar to its 2021 variant, researchers linked the operators of both these campaigns to be the same.
And to protect your IoT devices from any such botnet infections, you better keep its firmware up to date, replace the default credentials with strong and unique ones, and place them all behind a firewall.
