www.fortinet.com Open in urlscan Pro
18.156.16.255  Public Scan

URL: https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks
Submission: On November 16 via api from DE — Scanned from DE

Form analysis 1 forms found in the DOM

GET /blog/search

<form class="b3-searchbox__form" action="/blog/search" method="get">
  <input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
  <button class="b3-searchbox__icon" aria-label="Search" type="submit">
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
      <path
        d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
        fill="#fff">
      </path>
    </svg>
  </button>
</form>

Text Content

Blog
 * Categories
   * Business & Technology
   * Threat Research
   * Industry Trends
   * Partners
   * Customer Stories
   * PSIRT Blogs
 * Business & Technology
 * Threat Research
 * Industry Trends
 * Partners
 * Customer Stories
 * PSIRT Blogs
 * CISO Collective
 * Subscribe





Threat Research


NEW RAPPERBOT CAMPAIGN – WE KNOW WHAT YOU BRUTING FOR THIS TIME

By Joie Salvio and Roy Tay | November 15, 2022

After FortiGuard Labs reported on RapperBot in our previous article titled So
RapperBot, What Ya Bruting For? in August 2022, there was a significant drop in
the number of samples collected in the wild. But in early October 2022, new
samples with the same distinctive C2 protocol used by RapperBot were detected.


Unlike the murky objectives of the previous campaign, it is quickly evident that
these samples are part of a separate campaign to launch Distributed Denial of
Service (DDoS) attacks against game servers, which we believe to be a
re-emergence of a similar campaign from earlier this year.

Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical

This article discusses the differences observed in this campaign and its
relation to the previous RapperBot and similar campaigns in the past.


RAPPERBOT REBOOTED

FortiGuard Labs encountered this campaign by hunting for samples using the
unique bot ID used by RapperBot to communicate with its Command-and-Control (C2)
server, as reported in the previous article.

But once we analyzed these new samples, we observed a significant difference
between them and the earlier campaign. In fact, it turns out that this campaign
is less like RapperBot than an older campaign that appeared in February and then
mysteriously disappeared in the middle of April. Other related campaigns
uncovered during this investigation are detailed later in this article.


NETWORK PROTOCOL AND DENIAL-OF-SERVICE (DOS) ATTACKS

The C2 network protocol used in previous campaigns remains essentially
unchanged, with additional commands added to support the Telnet brute force. The
list of commands and IDs are shown below:

 * 0x00: Register (used by the client)
 * 0x01: Keep-Alive/Do nothing
 * 0x02: Stop all DoS attacks and terminate the client
 * 0x03: Perform a DoS attack
 * 0x04: Stop all DoS attacks
 * 0x06: Restart Telnet brute forcing
 * 0x07: Stop Telnet brute forcing

The previously reported RapperBot campaign was limited to a few generic DoS
methods against TCP and UDP services. This campaign adds DoS attacks against the
GRE protocol (likely reusing the Mirai source code) and the UDP protocol used by
the Grand Theft Auto: San Andreas Multi Player (SA:MP) mod.

Here are the DoS attack commands supported by this botnet:

 * 0x00: Generic UDP flood
 * 0x01: TCP SYN flood
 * 0x02: TCP ACK flood
 * 0x03: TCP STOMP flood
 * 0x04: UDP SA:MP flood targeting game servers running GTA San Andreas: Multi
   Player (SA:MP)
 * 0x05: GRE Ethernet flood
 * 0x06: GRE IP flood
 * 0x07: Generic TCP flood

These specific commands, coupled with the absence of HTTP-related DDoS attacks,
suggests that this campaign is primarily geared toward game server DDoS.


TELNET SELF-PROPAGATION

The most significant difference in the new campaign was the complete replacement
of the SSH brute forcing code with the more usual Telnet equivalent. FortiGuard
Labs has observed similar drastic modifications within RapperBot samples, as
detailed in our previous report, adding and removing even DoS attack code on an
apparent whim.

The Telnet brute forcing code is designed primarily for self-propagation and
resembles the old Mirai Satori botnet. Unlike the earlier SSH brute-forcing
campaign, the plaintext credentials are embedded into the malware instead of
being downloaded from the C2.

Figure 1. Function initializing the credential list

These credentials used appear to be default credentials for IoT devices. To
optimize brute forcing efforts, the malware compares the server prompt upon
connection to a hardcoded list of strings to identify the possible device and
then only tries the known credentials for that device. Unlike less sophisticated
IoT malware, this allows the malware to avoid trying to test a full list of
credentials. While not exactly a novel technique, it is still uncommon compared
to other IoT botnets.

Based on the prompt messages hardcoded into the malware, most of the targeted
devices are IoT devices such as routers and DVRs. This campaign seems especially
interested in older devices with the Qualcomm MDM9625 chipset, such as LTE
modems. It attempts to specifically gain root access to these devices via a
default password, despite having the same credentials in the list embedded in
the binary.

Figure 2. Gaining root access on devices with a default password

Like the earlier SSH brute-forcing campaign, once it has successfully gained
access, it sends the credentials used, the compromised device’s IP address, and
its architecture to the C2 server on a separate port, 5123. After reporting, the
malware attempts to install its main payload binary on the compromised device.

It first parses the Executable and Linkable Format (ELF) header of the
/bin/busybox file for the e_machine field, which provides the architecture of
the compromised device. This allows it to download and deploy a RapperBot
payload of the correct architecture to ensure proper execution. This selective
behavior is more efficient than the shotgun approach in most IoT malware
families, whereby all the binaries for the supported architectures are
downloaded and executed in the victim's system.

Based on the payload binaries we collected, this botnet currently seems to only
target devices running on ARM, MIPS, PowerPC, SH4, and SPARC architectures.
Moreover, it specifically checks and stops its self-propagation if the device is
detected to be running on Intel processors.

The bot then downloads its payload via software installed on the compromised
device, such as ftpget, wget, curl, or tftp, before executing the payload.

Figure 3. Downloading the payload binary using the wget tool

If none of the software mentioned above is installed, it will extract and send
an embedded binary downloader to the compromised device that executes and
downloads the primary payload.

Unlike in Satori, these embedded downloaders are stored as escaped byte strings,
probably to simplify parsing and processing within the code.

Figure 4. List of embedded binary downloaders

The binary downloaders are written by echoing the bytes and piping the content
to a file in the victim system. As labeled in Figure 4, each binary has a
hardcoded URL for downloading the payload binary of the proper architecture.

Figure 5. Writing downloader binary and executing it

No attempts to persist on infected or brute-forced devices were observed for
this campaign.


RELATED CAMPAIGNS


FortiGuard Labs compared samples for this and related campaigns from the past to
find any links with the previously reported RapperBot campaign.

We observed that the earliest samples for this campaign were from December 2021
and that the SA:MP attack was only added in February 2022. This campaign
mysteriously disappeared in mid-April 2022, resurfacing in Oct 2022 with the
addition of the self-propagation feature.

We also found older samples from another campaign that was active in
August-September 2021 with an almost identical list of credentials. These
samples contain slightly fewer credentials and a simpler self-propagation code
that only supports downloading the payload via wget or the binary downloader
embedded directly into the sample. This campaign did not support stopping or
restarting the Telnet propagation, and while the samples support the same
commands, their associated IDs did not match.

Figure 6. Timeline of related campaigns

The similar lists of credentials suggest that the threat actor behind this
current campaign has access to the source code for the earlier campaign, as this
code was not found in other IoT malware samples.


CONNECTIONS TO RAPPERBOT

The fact that samples from both campaigns use the same C2 protocol, coupled with
the absence of this campaign during the RapperBot campaign active between June
and Aug 2022 and its recent reappearance, seems to be more than a coincidence.

With the several similarities between the two campaigns outlined below, we
believe that either the same threat actor might be behind both campaigns or each
campaign might have branched from the same privately-shared source code.

 1. The C2 commands and corresponding IDs are identical in both campaigns
    (excluding the Telnet-related commands, as those do not apply to RapperBot)
 2. Both campaigns show a certain degree of effort in optimizing the brute
    forcing implementation. Code for the brute forcing implementation is
    significantly more structured than typical IoT malware that copies and
    pastes code with minimal modifications.
 3. RapperBot also supported the TCP STOMP attack popularized by Mirai. This
    attack was not observed in the earlier campaigns mentioned above. However,
    as both Mirai and Satori source code are publicly available, this is
    considered a very weak link between the campaigns.

If both campaigns were related, the reason for restarting an older campaign
remains a mystery.


CONCLUSION

Based on the undeniable similarities between this new campaign and the
previously reported RapperBot campaign, it is highly likely that they are being
operated by a single threat actor or by different threat actors with access to a
privately-shared base source code.

Unlike the previous RapperBot campaign, this new campaign has a clear motivation
to compromise as many IoT devices as possible to build a DDoS botnet.

Although this new campaign has evolved significantly from previous campaigns,
mitigating it remains the same—setting strong passwords for all devices
connected to the internet.

FortiGuard Labs will continue to monitor RapperBot’s development.


FORTINET PROTECTIONS

The FortiGuard Antivirus service detects and blocks this threat as ELF/Mirai,
Linux/Mirai, and ELF/Gafgyt.

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail,
FortiClient, and FortiEDR, and the Fortinet AntiVirus engine is a part of each
of those solutions. Customers running current AntiVirus updates are protected.

FortiGuard Labs provides the Rapper.Botnet IPS signature against RapperBot C2
activity.

The FortiGuard Web Filtering Service blocks the C2 servers and download URLs.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block
these attacks by aggregating malicious source IP data from the Fortinet
distributed network of threat sensors, CERTs, MITRE, cooperative competitors,
and other global sources that collaborate to provide up-to-date threat
intelligence about hostile sources.


IOCS


FILES

3d5c5d9e792e0a5f3648438b7510b284f924ab433f08d558b6e082e1d5414a03
7afcac5f71e9205879e0e476d3388898a62e7aa4a3e4a059884f40ea36cfd57f
8ec79a35700f6691f0d88d53647e9f2b75648710ecd119e55815331fc3bdd0b5
a12ad4bc394d60bc037271e1c2df1bd2b87bdaaba85f6c1b7d046341f027cc2d
f000bf482040b48595badee1fc56afb95449ac48b5dc35fe3a05542cbf18f658
4aa9175c1846557107ec197ea73d4cc8dbe6d575a8fd86ae214ff9b3a00e438b
f98261eb7dc122449c158118cc9c660683206983a9e90ff73eb88c4705e0c48e



DOWNLOAD URLS

hxxp://185[.]216[.]71[.]149/armv4l

hxxp://185[.]216[.]71[.]149/armv5l

hxxp://185[.]216[.]71[.]149/armv6l

hxxp://185[.]216[.]71[.]149/armv7l

hxxp://185[.]216[.]71[.]149/mips

hxxp://185[.]216[.]71[.]149/mipsel

hxxp://185[.]216[.]71[.]149/powerpc

hxxp://185[.]216[.]71[.]149/sparc

hxxp://185[.]216[.]71[.]149/sh4

hxxp://185[.]216[.]71[.]149/bot_arm4_el

hxxp://185[.]216[.]71[.]149/bot_arm5_el

hxxp://185[.]216[.]71[.]149/bot_arm6_el

hxxp://185[.]216[.]71[.]149/bot_arm7_el

hxxp://185[.]216[.]71[.]149/bot_mips_eb

hxxp://185[.]216[.]71[.]149/bot_mips_el

hxxp://185[.]216[.]71[.]149/bot_sh_el


C2

185[.]216[.]71[.]149

Learn more about Fortinet’s FortiGuard Labs threat research and global
intelligence organization and Fortinet’s FortiGuard AI-powered Security Services
portfolio. Sign up to receive our threat research blogs.


Tags:

fortiguard labs, fortiguard antivirus, RapperBot, DDoS attacks


RELATED POSTS

Threat Research

THREAT PREDICTIONS FOR 2023: NEW ATTACK SURFACES AND THREATS EMERGE AS
CYBERCRIME EXPANDS



Threat Research

TIPS AND TRICKS: USING THE .NET OBFUSCATOR AGAINST ITSELF



Threat Research

MIRAI, RAR1RANSOM, AND GUARDMINER – MULTIPLE MALWARE CAMPAIGNS TARGET VMWARE
VULNERABILITY


 * 
 * 
 * 
 * 
 * 
 * 

NEWS & ARTICLES

 * News Releases
 * News Articles
 * Trademarks

SECURITY RESEARCH

 * Threat Research
 * FortiGuard Labs
 * Threat Map
 * Threat Briefs
 * Ransomware

CONNECT WITH US

 * Blog
 * Fuse Community

COMPANY

 * About Us
 * Why Fortinet
 * Security Fabric
 * Exec Mgmt
 * Careers
 * Certifications
 * Events
 * Industry Awards
 * Sitemap
 * Blog Sitemap

CONTACT US

 * (866) 868-3678

Copyright © 2022 Fortinet, Inc. All Rights Reserved

Terms of Services Privacy Policy | Cookie Settings
Also of Interest
 * DOJ & Top Security Threats
 * Pay Ransomware Settlements?
 * Why ZTNA in the Cloud Isn't Enough
 * Converging NOC & SOC starts with FortiGate


COOKIE PREFERENCE CENTER




 * YOUR PRIVACY


 * STRICTLY NECESSARY COOKIES


 * PERFORMANCE COOKIES


 * FUNCTIONAL COOKIES


 * TARGETING COOKIES


YOUR PRIVACY

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking certain cookies in the Functional category may impact your
experience of the site and the services we are able to offer. privacy policy


STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.

Cookies Details‎


PERFORMANCE COOKIES

Performance Cookies


These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.

Cookies Details‎


FUNCTIONAL COOKIES

Functional Cookies


These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.

Cookies Details‎


TARGETING COOKIES

Targeting Cookies


These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They are based on uniquely identifying your
browser and internet device. If you do not allow these cookies, you will
experience less targeted advertising.

Cookies Details‎


BACK BUTTON BACK

Vendor Search
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label


 * 33ACROSS
   
   33ACROSS
   
   View Third Party Cookies
    * Name
      cookie name


Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All



COOKIE SETTINGS

By clicking “Accept All”, you agree to use of cookies on your device to enhance
site functionality, analyze site usage, and assist in our marketing efforts. The
Cookies Settings link has cookie-specific detail and preference options. privacy
policy

Reject All Accept All
Cookies Settings