FortiGuard Labs has encountered new samples of the RapperBot campaign active since January 2023. RapperBot is a malware family primarily targeting IoT devices. It has been observed in the wild since June 2022. FortiGuard Labs reported on its previous campaigns in August 2022 and December 2022. Those campaigns focused on brute-forcing devices with weak or default SSH or Telnet credentials to expand the botnet’s footprint for launching Distributed Denial of Service (DDoS) attacks.
In this camp
Activity Summary - Week Ending on 25 November 2022:
- Red Sky Alliance identified 26,613 connections from new IP’s checking in with our Sinkholes
- Contabo GmbH in Germany hit 100x
- Analysts identified 769 new IP addresses participating in various Botnets
- New RapperBot Campaign
- Somnia Ransomware
- New Inlock and Xorist Variants
- Debugging .NET Malware
- Iranian Drones
- City of Westmount, Quebec hit
- Nord Stream2 and AIS
- Kiwi Attacks
Link to full report: IR-22-329-001_weekly329.pdf
FortiGuard Labs researchers have been tracking a quickly evolving IoT malware family known as “RapperBot” since mid-June 2022. This family borrows heavily from the original Mirai source code, but what separates it from other IoT malware families is its built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai. In addition, recent samples show that its developers have started adding code to maintain persistence, which is rarely done
Activity Summary - Week Ending on 12 August 2022:
- Red Sky Alliance identified 23,968 connections from new IP’s checking in with our Sinkholes
- ril.com Hit
- Analysts identified 765 new IP addresses participating in various Botnets
- Zeppelin Ransomware
- Exim
- SmokeLoader
- RapperBot
- AiTM Phishing
- BlenderBot
- PortDoor & CotSam
Link to full report: IR-22-224-001_weekly224.pdf
