RapperBot is a malware family targeting IoT devices, first observed in June 2022. A recent variant launched a significant DoS attack on the AI startup DeepSeek. The malware, designed for ARM architecture, employs various techniques for obfuscation and managing socket connections. Affected: IoT devices, AI firms
Keypoints :
- RapperBot is a malware family specifically targeting Internet of Things (IoT) devices.
- First observed in the wild in June 2022, with a notable attack on DeepSeek occurring on January 28, 2025.
- The malware is designed for the ARM architecture and is an ELF executable.
- RapperBot focuses on TCP Denial of Service (DoS) attacks rather than brute force attacks or exploiting vulnerabilities.
- Prior to launching attacks, it establishes a UDP socket connection and retrieves local socket details.
- Utilizes the getrlimit() function to obtain resource limits for a process.
- Employs XOR obfuscation to protect sensitive information within the botnet.
- Compared to similar malware like Mirai and Hailbot, RapperBot has limited capabilities, focusing mainly on TCP and UDP DoS attacks.
- Interestingly, it includes an advertisement delivery mechanism featuring a popular YouTube video.
MITRE Techniques :
- T1499 – Endpoint Denial of Service: RapperBot executes TCP DoS attacks by creating sockets and connecting them to remote addresses.
- T1071 – Application Layer Protocol: Utilizes HTTP protocols to interact with the remote server during attacks.
- T1203 – Exploitation for Client Execution: While the bot does not brute force, it does exploit application layer protocols for executing its DoS functionalities.
Indicator of Compromise :
- [MD5] EF9EBF4D5A1A44D0DB92DE06D3DCE7A1
Full Story: https://malwareanalysisspace.blogspot.com/2025/02/rapperbot-static-analysis-for-arm.html