Fortinet FortiGuard Labs researchers discovered new samples of RapperBot malware, indicating that threat actors are building a botnet to launch crippling distributed denial of service attacks (DDoS attacks) against game servers.
The malware was reported previously in FortiGuard’s article- So RapperBot, What Ya Bruting For?
FortiGurad’s researchers Joie Salvio and Roy Tay noted a drop in the number of samples circulating in the wild in August 2022 from when it was first discovered. They identified new samples from October using the same unique C2 protocol RapperBot malware used earlier. For your information, RapperBot malware is known for brute-forcing SSH servers that can accept password authentication.
This malware is different because it can perform Telnet brute-force apart from supporting DoS attacks through the Generic Routing Encapsulation (GRE) tunneling protocol and UDP floods targeting game servers that run Grand Theft Auto: San Andreas.
It is worth noting that Mirai’s source code was leaked in October 2016, and since then, many different variants of Mirai have emerged.
Researchers at FortiGuard are certain that the samples are created for a brand-new DDoS campaign against game servers. It may also be the reappearance of a similar campaign detected earlier in 2022. This new campaign is much different from the older RapperBot campaign detected in February 2022, which later disappeared in April.
Fortinet researchers wrote in a blog post that the malware could only target appliances running PowerPC, ARM, SH4, SPARC, and MIPS architectures. It can quickly halt its self-propagation mechanism if they are run on Intel chipsets.
“Based on the undeniable similarities between this new campaign and the previously reported RapperBot campaign, it is highly likely that they are being operated by a single threat actor or by different threat actors with access to a privately-shared base source code.”
Joie Salvio and Roy Tay – FortiGurad
Top/Featured Image: PixaBay – Victoria_Watercolor