An updated version of the RapperBot malware is used to carry out DDoS attacks on game servers.
A new version of RapperBot botnet malware is being used to target game servers with DDoS attacks. IoT devices are used as gateways to reach servers.
Game servers targeted by DDoS attackers
Threat actors use RapperBot malware to carry out Distributed Denial of Service (DDoS) attacks on game servers. Linux platforms are at risk of being attacked by this very dangerous botnet.
In a Fortinet blog post, it has been stated that RapperBot is likely intended for game servers due to the specific commands it supports and the lack of HTTP-related DDoS attacks. IoT (Internet of Things) devices are at risk here, although it seems RapperBot is more concerned with targeting older devices with the Qualcomm MDM9625 chipset.
RapperBot appears to target devices running on ARM, MIPS, PowerPC, SH4 and SPARC architectures, although it is not designed to run on Intel chipsets.
This isn’t RapperBot’s debut
RapperBot isn’t new to cybercrime, although it hasn’t been around for years either. RapperBot was first noticed in the wild in August 2022 by Fortinet, although it has since been confirmed to have been operational since May of the previous year. In this case, RapperBot was used to launch SSH brute force attacks to spread to Linux servers.
Fortinet said in the aforementioned blog post that the most significant difference in this updated version of RapperBot is “the complete replacement of SSH brute force code with the more usual Telnet equivalent.”
This Telnet code is designed for self-propagation, which closely resembles and may be inspired by the older Mirai IoT botnet that runs on ARC processors. Mirai’s source code leaked in late 2016, leading to numerous modified versions (one of which may be RapperBot).
But unlike Mirai, this iteration of RapperBot’s built-in binary downloaders are “stored as escaped byte strings, presumably to simplify parsing and processing in code,” as noted in the Fortinet blog post regarding the new version of the botnet.
The botnet operators are not known
At the time of writing, the operators of RapperBot remain anonymous. However, Fortinet said a single malicious actor or group of actors with access to the source code are the most likely scenarios. More information on this may be released in the near future.
It’s also likely that this updated version of RapperBot is likely being used by the same people who exploited the previous iteration, as they would need access to the source code to carry out attacks.
RapperBot activity continues to be monitored
Fortinet ended its blog post regarding the updated RapperBot variant by assuring readers that malware activity will be monitored in the future. So we can continue to see more examples of RapperBot being used over time.
