New RapperBot malware launches DDoS attacks against game servers

Fresh and rebooted, newly discovered samples of RapperBot malware can target IoT devices with DDoS (Distributed Denial of Service) attacks against game servers.

Researchers from Fortinet FortiGuard Labs believe this to be a re-emerged campaign from earlier this year used for brute-forcing SSH servers, which was discovered in August.

This strain was located whilst researchers were tracing the activities of the previously detected campaign.

It soon became evident that there is a number of significant differences between them – so much so that the new malware appears to be less like RapperBot than an older campaign that was observed in February before disappearing.

Instead of the SSH brute forcing code, this campaign features the more usual Telnet equivalent, which is used mostly for self-propagation. According to researchers, it resembles the old Mirai Satori botnet. The Mirai botnet was discovered in August 2016 and has since been used in some of the largest distributed denial-of-service (DDoS) attacks in its different variations.

In this case, new samples use the same C2 protocol as RapperBot, but instead of downloading credentials directly from the C2, they attempt to brute force devices using common weak credentials.

“The fact that samples from both campaigns use the same C2 protocol, coupled with the absence of this campaign during the RapperBot campaign active between June and Aug 2022 and its recent reappearance, seems to be more than a coincidence,” researchers believe.

The new botnet currently can only seem to target devices running on ARM, MIPS, PowerPC, SH4, and SPARC architectures, as well as stops its self-propagation if the device is detected to be running on Intel processors.

Fortinet researchers conclude that based on the observed similarities, the new campaign and the previously reported RapperBot campaign seem to be operated by the same threat actor or multiple threat actors who share access to a private base source code.