New RapperBot campaign strike game servers with DDoS attacks

November 23, 2022
RapperBot Cyberattack Campaign Game Servers Gaming DDoS Brute Force Attack Botnet

The new cybercriminal activity that researchers called the RapperBot campaign uses a built botnet that could launch a Distributed Denial-of-Service (DDoS) attack against game servers.

The researchers claimed that this newly uncovered botnet is likely an older campaign that emerged earlier this year but oddly disappeared in the last weeks of April 2022. RapperBot was first recorded by a network security firm last August 2021, and it is notorious for brute-forcing SSH servers set up to accept password authentication.

Based on reports, the malware took inspiration from the Mirai botnet campaign as analysts noticed a similar source code used in the attack, like the campaign in October 2016.

The researchers also noted the updated version of the RapperBot, which could run Telnet brute-force operations alongside the DDoS attacks through the Generic Routing Encapsulation (GRE) tunneling protocol. The UDP floods operation is included in the attack process and attacks a game server that runs popular video games, such as GTA: San Andreas.

 

The execution of the RapperBot campaign resembles the Mirai botnet.

 

Experts explained that the RapperBot campaign adopted the Telnet brute-forcing method from the Mirai botnet for self-propagation tactics.

The attack also obtains a list of hard-coded plaintext credentials and default credentials inside internet-of-things (IoT) devices. Hence, the operation could easily retrieve these credentials compared to those gathered on a C2 server. Several researchers observed these features in the previous samples detected last July.

After the targeted entity’s successful intrusion, the botnet reports credentials to the command-and-control server. This operation leads to installing the RapperBot payload on the compromised machine.

The researchers stated that the malware is calibrated by its authors to focus on targeting appliances that run on PowerPC, MIPS, SPARC, SH4, and ARM architectures. On the other hand, the malware stops its self-propagation feature if they run through an Intel-based chipset.

Lastly, some experts noticed that the campaign back in October noticed some similarities with other cybercriminal operations involving the malware last year. The Telnet spreader functionality only had a brief stint last year, but the recent emergence of the RapperBot malware has paved the way to reintroduce it.

About the author

Leave a Reply