After FortiGuard Labs reported on RapperBot in our previous article titled So RapperBot, What Ya Bruting For? in August 2022, there was a significant drop in the number of samples collected in the wild. But in early October 2022, new samples with the same distinctive C2 protocol used by RapperBot were detected.
Unlike the murky objectives of the previous campaign, it is quickly evident that these samples are part of a separate campaign to launch Distributed Denial of Service (DDoS) attacks against game servers, which we believe to be a re-emergence of a similar campaign from earlier this year.
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
This article discusses the differences observed in this campaign and its relation to the previous RapperBot and similar campaigns in the past.
FortiGuard Labs encountered this campaign by hunting for samples using the unique bot ID used by RapperBot to communicate with its Command-and-Control (C2) server, as reported in the previous article.
But once we analyzed these new samples, we observed a significant difference between them and the earlier campaign. In fact, it turns out that this campaign is less like RapperBot than an older campaign that appeared in February and then mysteriously disappeared in the middle of April. Other related campaigns uncovered during this investigation are detailed later in this article.
The C2 network protocol used in previous campaigns remains essentially unchanged, with additional commands added to support the Telnet brute force. The list of commands and IDs are shown below:
The previously reported RapperBot campaign was limited to a few generic DoS methods against TCP and UDP services. This campaign adds DoS attacks against the GRE protocol (likely reusing the Mirai source code) and the UDP protocol used by the Grand Theft Auto: San Andreas Multi Player (SA:MP) mod.
Here are the DoS attack commands supported by this botnet:
These specific commands, coupled with the absence of HTTP-related DDoS attacks, suggests that this campaign is primarily geared toward game server DDoS.
The most significant difference in the new campaign was the complete replacement of the SSH brute forcing code with the more usual Telnet equivalent. FortiGuard Labs has observed similar drastic modifications within RapperBot samples, as detailed in our previous report, adding and removing even DoS attack code on an apparent whim.
The Telnet brute forcing code is designed primarily for self-propagation and resembles the old Mirai Satori botnet. Unlike the earlier SSH brute-forcing campaign, the plaintext credentials are embedded into the malware instead of being downloaded from the C2.
These credentials used appear to be default credentials for IoT devices. To optimize brute forcing efforts, the malware compares the server prompt upon connection to a hardcoded list of strings to identify the possible device and then only tries the known credentials for that device. Unlike less sophisticated IoT malware, this allows the malware to avoid trying to test a full list of credentials. While not exactly a novel technique, it is still uncommon compared to other IoT botnets.
Based on the prompt messages hardcoded into the malware, most of the targeted devices are IoT devices such as routers and DVRs. This campaign seems especially interested in older devices with the Qualcomm MDM9625 chipset, such as LTE modems. It attempts to specifically gain root access to these devices via a default password, despite having the same credentials in the list embedded in the binary.
Like the earlier SSH brute-forcing campaign, once it has successfully gained access, it sends the credentials used, the compromised device’s IP address, and its architecture to the C2 server on a separate port, 5123. After reporting, the malware attempts to install its main payload binary on the compromised device.
It first parses the Executable and Linkable Format (ELF) header of the /bin/busybox file for the e_machine field, which provides the architecture of the compromised device. This allows it to download and deploy a RapperBot payload of the correct architecture to ensure proper execution. This selective behavior is more efficient than the shotgun approach in most IoT malware families, whereby all the binaries for the supported architectures are downloaded and executed in the victim's system.
Based on the payload binaries we collected, this botnet currently seems to only target devices running on ARM, MIPS, PowerPC, SH4, and SPARC architectures. Moreover, it specifically checks and stops its self-propagation if the device is detected to be running on Intel processors.
The bot then downloads its payload via software installed on the compromised device, such as ftpget, wget, curl, or tftp, before executing the payload.
If none of the software mentioned above is installed, it will extract and send an embedded binary downloader to the compromised device that executes and downloads the primary payload.
Unlike in Satori, these embedded downloaders are stored as escaped byte strings, probably to simplify parsing and processing within the code.
The binary downloaders are written by echoing the bytes and piping the content to a file in the victim system. As labeled in Figure 4, each binary has a hardcoded URL for downloading the payload binary of the proper architecture.
No attempts to persist on infected or brute-forced devices were observed for this campaign.
FortiGuard Labs compared samples for this and related campaigns from the past to find any links with the previously reported RapperBot campaign.
We observed that the earliest samples for this campaign were from December 2021 and that the SA:MP attack was only added in February 2022. This campaign mysteriously disappeared in mid-April 2022, resurfacing in Oct 2022 with the addition of the self-propagation feature.
We also found older samples from another campaign that was active in August-September 2021 with an almost identical list of credentials. These samples contain slightly fewer credentials and a simpler self-propagation code that only supports downloading the payload via wget or the binary downloader embedded directly into the sample. This campaign did not support stopping or restarting the Telnet propagation, and while the samples support the same commands, their associated IDs did not match.
The similar lists of credentials suggest that the threat actor behind this current campaign has access to the source code for the earlier campaign, as this code was not found in other IoT malware samples.
The fact that samples from both campaigns use the same C2 protocol, coupled with the absence of this campaign during the RapperBot campaign active between June and Aug 2022 and its recent reappearance, seems to be more than a coincidence.
With the several similarities between the two campaigns outlined below, we believe that either the same threat actor might be behind both campaigns or each campaign might have branched from the same privately-shared source code.
If both campaigns were related, the reason for restarting an older campaign remains a mystery.
Based on the undeniable similarities between this new campaign and the previously reported RapperBot campaign, it is highly likely that they are being operated by a single threat actor or by different threat actors with access to a privately-shared base source code.
Unlike the previous RapperBot campaign, this new campaign has a clear motivation to compromise as many IoT devices as possible to build a DDoS botnet.
Although this new campaign has evolved significantly from previous campaigns, mitigating it remains the same—setting strong passwords for all devices connected to the internet.
FortiGuard Labs will continue to monitor RapperBot’s development.
The FortiGuard Antivirus service detects and blocks this threat as ELF/Mirai, Linux/Mirai, and ELF/Gafgyt.
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR, and the Fortinet AntiVirus engine is a part of each of those solutions. Customers running current AntiVirus updates are protected.
FortiGuard Labs provides the Rapper.Botnet IPS signature against RapperBot C2 activity.
The FortiGuard Web Filtering Service blocks the C2 servers and download URLs.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.