Introduction
The RapperBot botnet has been a significant threat in the cybersecurity landscape since at least 2021. This botnet is designed to conduct large-scale Distributed Denial of Service (DDoS) attacks, targeting various organizations and services worldwide. Over time, it has evolved, adapting new techniques to infect end-of-life IoT devices, making it a persistent and formidable adversary.
Botnet Evolution
The infrastructure behind RapperBot is highly dynamic, with Command & Control (C2) servers frequently changing IP addresses. Monitoring passive DNS records associated with each domain reveals over 60 unique IPs involved since the end of March alone. The most recent changes indicate a spike in communications between August 6th and 7th, followed by a takedown operation on August 19th.
Takedown Operation
The U.S. Attorney’s Office of the District of Alaska announced charges against an Oregon man for his alleged involvement in developing and administering RapperBot. This action, part of Operation PowerOFF, involved coordinated efforts among international law enforcement agencies to dismantle DDoS-for-hire infrastructures globally.
Technical Details
The botnet relies on scanning the internet for old edge devices like DVRs and routers, exploiting vulnerabilities or brute-forcing passwords. Once infected, these devices execute the RapperBot malware, contributing to massive DDoS attacks that have exceeded 7 Tbps. The malware does not require persistence; it continuously scans and infects new devices.
Cryptographic Analysis
The encrypted communications between bots and C2 servers use a checksum algorithm involving XOR operations with an initial key. After decrypting the payload, a further decryption process involves using a checksum from the first 16 bytes of the payload to derive another key for AES decryption.
Decrypted Payloads
The decrypted data reveals a list of IP addresses that serve as C2 servers. For instance, parsing TXT records from domains associated with RapperBot yields IPs like 194.226.121.51 and 188.92.28.62.
Mitigation Strategies
To protect against such threats, individuals and organizations should adopt several security measures:
- Personal Measures:
- Be wary of old devices that no longer receive updates.
- Keep all internet-connected devices updated with the latest firmware.
- Use strong, unique passwords for all devices and accounts.
- Disable UPnP if not in use to prevent automatic port openings.
- Regularly review exposed services and close unnecessary ports.
- Organizational Measures:
- Maintain a comprehensive inventory of internet-facing devices.
- Implement robust vulnerability management programs.
- Enforce strict patch management policies.
- Deploy IDS/IPS solutions to monitor and block malicious traffic.
- Enforce strong access controls, including multi-factor authentication (MFA).
- Develop and regularly test an incident response plan.
- Leverage threat intelligence feeds for emerging threats and IOCs related to IoT botnets.
