RapperBot, a Mirai-based botnet, has returned with new capabilities that target Internet of Things (IoT) devices for Distributed Denial of Service (DDoS) attacks against game servers. The malware is now using a Telnet self-propagation mechanism instead of the SSH brute-forcing technique that was observed by Fortinet last August. The following commands have been seen used by the malware:
• Register (used by the client)
- Keep-Alive/Do nothing
- Stop all DoS attacks and terminate the client
- Perform a DoS attack
- Stop all DoS attacks
- Restart Telnet brute forcing
- Stop Telnet brute forcing
In the past, the malware would pull a list from the Command and Control (C2) server for brute-forcing. In this current campaign, it pulls from a hardcoded list of common weak credentials. If the correct credentials are found, the primary payload binary is then attempted to be installed. With the older variant, initial access is what was believed to be the threat actors’ intent. With this current variant, it is clear that DDoS attacks are the wishful outcome for the malware operators.
Since 2021, the list of commonly used credentials in brute-forcing attempts has not changed. Those looking to prevent becoming victims of these styles of attacks should make updates to firmware regularly. Strong and unique passwords should also take the place of the default passwords and devices should be placed behind a firewall if applicable.