The Mirai-based RapperBot botnet has resurfaced with a new campaign affecting IoT devices for DDoS (distributed denial of service) attacks against game servers. The malware was discovered by Fortinet researchers last August when it used SSH eavesdropping to spread to Linux servers. After tracking its activities, the researchers discovered that RapperBot has been active since May 2021, but its precise targets are difficult to decipher.

Instead, a new variant uses Telnet’s self-propagating mechanism, which is closer to the approach of the original Mirai malware. Additionally, the motivation for the current campaign is clearer, as DoS teams in the latest release are designed to attack servers hosting online games.

Fortinet analysts were able to test the new variant using C2 communication artifacts collected in previous campaigns, suggesting that this aspect of the botnet’s operation has not changed.

Analysts noted that the new variant has a few differences, including support for Telnet pairing with the following commands:

• Registration (used by customer)
• Keep Alive/Do nothing
• Stop all DoS attacks and terminate the client
• Perform a DoS attack
• Stop all DoS attacks
• Restart telnet call
• stop telnet calling

The malware attempts to defeat devices using normal weak credentials from a hard-coded list, while previously retrieving a list from C2.

“To optimize its brute-force efforts, the malware compares the post-connection server hint with a list of hard-coded sequences to identify a possible device, and then tries known credentials only for that device,” Fortinet said.

“Unlike less sophisticated IoT malware, this allows the malware to avoid trying to verify the entire list of credentials.”

After successfully finding the credentials, it reports this to C2 via port 5123 and then tries to obtain and install the correct version of the main load binary for the detected device architecture. ARM, MIPS, PowerPC, SH4 and SPARC architectures are currently supported.

The DoS capabilities of the older version of RapperBot were so limited and generic that the researchers speculated that their operators might be more concerned with the first-access job.

But in the latest variant, the true nature of the malware was revealed with the addition of a wide variety of DoS attack commands such as:

• Total UDP stream
• TCP SYN overflow
• TCP ACK flood
• TCP STOMP flood
• UDP SA:MP flood targets game servers running GTA San Andreas: Multi Player (SA:MP)
• GRE Ethernet torrent
• GRE IP torrent
• General TCP stream

Based on HTTP DoS techniques, the malware seems to specialize in launching attacks on game servers.

“This campaign adds DoS attacks against the GRE and UDP protocols used by the Grand Theft Auto: San Andreas Multi Player (SA:MP) mod,” Fortinet said in a report.

Fortinet believes that all RapperBot campaigns detected were organized by the same operators because the new variants show access to the malware’s source code. Additionally, the C2 communication protocol remains the same, the list of credentials used for brute-force attempts remains the same since August 2021, and there is no evidence of campaign matching so far. To protect your IoT devices from botnet infections, update your firmware, replace your default credentials with a strong, unique password, and place them behind a firewall if possible.