New RapperBot malware targets game servers with DDoS attacks
Fortinet FortiGuard Labs researchers discovered new samples of RapperBot malware, indicating that threat actors are building a botnet to launch devastating distributed denial of service (DDoS) attacks against game servers.
The malware was previously reported in FortiGuard’s article – So RapperBot, What Ya Bruting For?
FortiGurad researchers Joie Salvio and Roy Tay noted a decrease in the number of samples circulating in the wild in August 2022 from when it was first discovered. They identified new samples from October using the same unique C2 protocol RapperBot malware used previously. For your information, RapperBot malware is known for brute-forcing SSH servers that can accept password authentication.
This malware is different because it can perform Telnet brute-force in addition to supporting DoS attacks through the Generic Routing Encapsulation (GRE) tunneling protocol and UDP floods targeting game servers running Grand Theft Auto: San Andreas.
The Telnet brute-forcing code is designed for self-propagation. Researchers noted that the Mirai botnet inspires the RapperBot malware since its Telnet code resembles Mirai Satori.
It is worth noting that Mirai’s source code was leaked in October 2016, and since then many different variants of Mirai have appeared.
Researchers at FortiGuard are sure that the samples are made for a brand new DDoS campaign against game servers. It is also possible that a similar campaign will resurface earlier in 2022. This new campaign is much different from the older RapperBot campaign discovered in February 2022, which later disappeared in April.
Fortinet researchers wrote in a blog post that the malware could only target devices running PowerPC, ARM, SH4, SPARC and MIPS architectures. It can quickly stop the self-propagation mechanism if they run on Intel chipsets.
“Based on the undeniable similarities between this new campaign and the previously reported RapperBot campaign, it is highly likely that they are operated by a single threat actor or by different threat actors with access to a private shared base source code.”
Joie Salvio and Roy Tay – FortiGurad
Top/Featured Image: PixaBay – Victoria_Watercolor
- Large EU country hit by paralyzing DDoS attacks
- Iran’s largest steel producer hit by crippling cyber attack
- Two major flight tracking services hit by crippling cyber attack
- European Banking Authority victim in MS Exchange Server hack
- Fake WHO emails about COVID-19, dropping Nerbian RAT across Europe