An updated version of RapperBot malware is being used to carry out DDoS attacks on game servers.
A new version of botnet malware RapperBot is being used to target game servers with DDoS attacks. IoT devices are being used as gateways to reach the servers.
Game Servers Targeted by DDoS Attackers
Threat actors are using RapperBot malware to carry out distributed denial-of-service (DDoS) attacks on game servers. Linux platforms are at risk of attacks by this highly dangerous botnet.
In a Fortinet blog post, it was stated that RapperBot is likely being aimed at game servers due to the specific commands it supports and the lack of absence of HTTP-related DDoS attacks. IoT (Internet of Things) devices are at risk here, though it seems that RapperBot is more concerned with targeting older devices equipped with the Qualcomm MDM9625 chipset.
RapperBot looks to be targeting devices running on ARM, MIPS, PowerPC, SH4, and SPARC architectures, though it is not designed to run on Intel chipsets.
This Is Not RapperBot’s Debut
RapperBot is not brand new to the cybercrime space, though it hasn’t been around for years, either. RapperBot was first noticed in the wild in August 2022 by Fortinet, though it has since been confirmed that it has been in operation since May of the previous year. In this instance, RapperBot was being used to launch SSH brute-force attacks to propagate on Linux servers.
Fortinet stated in the aforementioned blog post that the most significant difference in this updated version of RapperBot is “the complete replacement of the SSH brute forcing code with the more usual Telnet equivalent”.
This Telnet code is designed for self-propagation, which closely resembles and may be inspired by the old Mirai IoT botnet that runs on ARC processors. The Mirai source code leaked in late 2016, which led to the creation of numerous modified versions (one of which may be RapperBot).
But unlike Mirai, this iteration of RapperBot’s embedded binary downloaders are “stored as escaped byte strings, probably to simplify parsing and processing within the code”, as stated in the Fortinet blog post regarding the new version of the botnet.
Botnet’s Operators Are Not Known
At the time of writing, RapperBot’s operators remain anonymous. However, Fortinet did state that a single malicious actor or group of actors with access to the source code are the most likely scenarios. More information on this may come out in the near future.
It is also likely that this updated version of RapperBot is likely being used by the same individuals who operated the previous iteration, as they would need access to the source code to carry out attacks.
RapperBot’s Activity Continues to Be Monitored
Fortinet ended its blog post regarding the updated RapperBot variant by assuring readers that the malware’s activity will be monitored in the future. So, we may continue to see more instances of RapperBot’s use as time passes.