RapperBot is a malware family targeting IoT devices, noted for conducting a large-scale attack against Chinese AI startup DeepSeek. Observed since June 2022, RapperBot has evolved through improved capabilities and malicious strategies, including SSH brute force attacks. The malware is designed to expand its attack surface by leveraging specific vulnerabilities. Affected: IoT devices, Chinese AI startup (DeepSeek)
Keypoints :
- RapperBot primarily targets IoT devices.
- The malware family has been in existence since June 2022.
- Recently, a variant of RapperBot attacked the Chinese AI startup DeepSeek.
- The malware uses ELF for ARM executable format.
- It employs a strategy to download malware to expand its attack surface.
- No web vulnerabilities are exploited, unlike other botnets.
- The malware improves its brute-force capabilities to compromise SSH clients.
- RapperBot’s code contains specific strings for brute-forcing embedded in its binary.
- It has a new variable structure enhancing its functionality.
- The overall design indicates a continual update in their malicious capabilities.
MITRE Techniques :
- Brute Force (T1110): Utilizes embedded strings within the binary to target SSH clients for unauthorized access.
- Command and Control (T1071): Downloads malware from a specified URL (hxxp://109.206.243.207/d) for further malicious actions.
Indicator of Compromise :
- [Hash] MD5: 139052977D3A5E9246A51D726DAE32BD
- [URL] http://109.206.243.207/d
- [YouTube] hxxps://www.youtube.com/watch?v=4fm_ZZn5qaw
Full Story: https://malwareanalysisspace.blogspot.com/2025/02/rapperbot-how-to-improve-and-expand-its.html
Views: 22