Threat Research

New RapperBot Campaign – We Know What You Bruting for this Time | FortiGuard Labs

Securonix

FortiGuard Labs reports that RapperBot has re-emerged in October 2022 as a DDoS-focused IoT botnet aimed at game servers, leveraging Telnet brute-forcing with embedded credentials to propagate. The campaign maintains a similar C2 protocol to earlier RapperBot activity, expands DoS capabilities (including GRE and SA:MP floods), and uses architecture-aware payload delivery, suggesting a single actor or shared code base behind related campaigns. #RapperBot #Mirai #Satori #SA_MP #IoT

Keypoints

  • The new RapperBot campaign targets game servers and is built to exploit IoT devices via Telnet brute-forcing with hardcoded credentials.
  • DoS capabilities now include GRE floods and SA:MP floods, alongside generic UDP/TCP floods, controlled by a set of 0x00–0x07 commands.
  • The Telnet propagation approach resembles older Mirai/Satori behavior, replacing SSH brute-forcing with Telnet and embedding credentials in the malware.
  • Payload delivery is architecture-aware: the malware inspects ELF headers to download the correct binary for ARM, MIPS, PowerPC, SH4, or SPARC and stops on Intel devices.
  • Downloads can occur via ftpget, wget, curl, or tftp, or via embedded binary downloaders if these tools are unavailable.
  • There is no observed persistence mechanism; the campaign focuses on immediate compromise and C2 communication to report compromised devices and deploy payloads.
  • Fortinet protections include detection as ELF/Mirai and Linux/Mirai, plus blocking of C2/download URLs and IP reputation-based defenses; links to RapperBot campaigns suggest a shared source or actor.

MITRE Techniques

  • [T1110] Brute Force – Telnet brute forcing to access IoT devices; “The Telnet brute forcing code is designed primarily for self-propagation and resembles the old Mirai Satori botnet.”
  • [T1071] Command and Control – Use of a C2 protocol to control the botnet; “The C2 network protocol used in previous campaigns remains essentially unchanged, with additional commands added to support the Telnet brute force.”
  • [T1082] System Information Discovery – Architecture-aware payloads determined by examining ELF headers; “parses the Executable and Linkable Format (ELF) header of the /bin/busybox file for the e_machine field, which provides the architecture of the compromised device.”
  • [T1105] Ingress Tool Transfer – Payload downloaded to compromised devices via ftpget, wget, curl, or tftp; “The malware downloads its payload via software installed on the compromised device, such as ftpget, wget, curl, or tftp, before executing the payload.”
  • [T1499.001] Network Denial of Service – DoS commands include UDP flood, TCP SYN flood, TCP ACK flood, TCP STOMP flood, GRE floods, and SA:MP floods targeting game servers; “DoS attack commands supported by this botnet: 0x00 Generic UDP flood, 0x01 TCP SYN flood, 0x02 TCP ACK flood, 0x03 TCP STOMP flood, 0x04 UDP SA:MP flood targeting game servers… 0x06 GRE IP flood.”
  • [T1021] Remote Services – Telnet-based propagation of compromised devices; “The Telnet brute forcing code is designed primarily for self-propagation…”

Indicators of Compromise

  • [File] Hashes – 3d5c5d9e792e0a5f3648438b7510b284f924ab433f08d558b6e082e1d5414a03, 7afcac5f71e9205879e0e476d3388898a62e7aa4a3e4a059884f40ea36cfd57f, 8ec79a35700f6691f0d88d53647e9f2b75648710ecd119e55815331fc3bdd0b5, and 4 more hashes
  • [URL] Download URLs – hxxp://185[.]216[.]71[.]149/armv4l, hxxp://185[.]216[.]71[.]149/armv5l, hxxp://185[.]216[.]71[.]149/armv6l, hxxp://185[.]216[.]71[.]149/armv7l, and 2 more URLs
  • [IP] C2 server – 185.216.71.149

Read more: https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks