RapperBot Malware Campaign Conducts DDoS Attacks Against Video Game Servers
Researchers at Fortinet have recently identified new samples of the "RapperBot" malware in a campaign launching distributed denial-of-service (DDoS) attacks against game servers. This campaign is similar to an older campaign beginning in February 2022 and "mysteriously disappeared in the middle of April." The new RapperBot samples were first identified in August 2022 and are known to "exclusively brute-force SSH servers configured to accept password authentication." The newest samples have the capability to perform Telnet brute-forcing as well as supporting denial-of-service (DoS) attacks. This is done by using the Generic Routing Encapsulation (GRE) tunneling protocol as well as by using UDP floods to target game servers. This is facilitated by hard-coding lists of default IoT credentials in plaintext which are embedded within the Telnet brute-forcing code binary. This is a new technique, as the previous campaign was storing and retrieving the credential lists from a command-and-control (C2) server. If executed properly, the threat actor will successfully authenticate on the target device, prompting the malware to send the correct credentials back to an actor-controlled C2 and installing the RapperBot payload on the exploited device. An interesting development is the targeted nature of the malware, designed to only attack devices running on "ARM, MIPS, PowerPC, SH4, and SPARC architectures, and halt its self-propagation mechanism should they be running on Intel chipsets." Although it has not been officially attributed, it is likely that both of these campaigns are being operated by the same threat actor. CTIX analysts will monitor this campaign and provide updates on the threat actor when definite attribution is available.
Threat Actor Activity
TA542 Reemerges After 4 Month Hiatus, Improves Emotet Arsenal
After a recent hiatus, threat actors from TA542 have once again begun utilizing Emotet malware to distribute thousands of malicious emails to end-users. TA542, also tracked as Mummy Spider, is commonly known for their core development of Emotet malware, which was first observed in 2014. Campaigns launched by TA542 actors typically launch Emotet-driven campaigns that last several months, after which the group will go on a hiatus lasting between three (3) to twelve (12) months. Recently, Emotet activity has once again picked up in early November after going on a four (4) month hiatus following another campaign in July. In this new campaign, Proofpoint analysts noted some significant changes to the Emotet malware including binary changes, improved Excel attachment lure tactics, a light loader called IcedID, and scattering reports of Bumblebee payloads dropped alongside IcedID. In terms of targeting, TA542 has distributed Emotet attacks to users in the United States, United Kingdom, Japan, Mexico, Brazil, and several more. Modifications made by the threat actors appear to correct issues surrounding corrupted hosts within the botnet. CTIX expects this recent campaign to last a few more months before TA542 goes on another hiatus. CTIX continues to monitor threat actor activity throughout the landscape and will provide additional updates accordingly.
F5 Patches Two High-Severity RCE Vulnerabilities
The F5 cybersecurity company has released patches for two (2) critical vulnerabilities impacting their BIG-IP and BIG-IQ products. If these flaws were to be exploited, the threat actor could perform unauthenticated remote code execution (RCE) against vulnerable endpoints. The first vulnerability, tracked as CVE-2022-41622 (CVSS 8.8/10), is a cross-site request forgery (CSRF) flaw in the iControl SOAP component, affecting BIG-IP and BIG-IQ products. An attacker could exploit this vulnerability by socially engineering users with resource administrator role privileges or higher, tricking them into accessing malicious endpoints. If exploited, the threat actor could gain root access to the management interface of the vulnerable device, allowing for a complete system compromise. The second vulnerability, tracked as CVE-2022-41800 (CVSS 8.7/10), is an RPM spec injection flaw impacting the iControl REST appliance mode. If successfully exploited, an attacker who has already secured administrator credentials could again perform unauthenticated RCE by executing shell commands via RPM-specific files. Although severe, the likelihood that these flaws will be exploited at scale is low because the attackers would have to learn about the target network and compromise the correct administrator accounts before exploiting the vulnerabilities. There is a working proof-of-concept (PoC) exploit for CVE-2022-41622, so users should install the hotfixes as soon as possible. In addition to installing the patch, administrators should manually disable Basic Authentication for the iControl SOAP component after installing the hotfix. CTIX analysts urge any readers implementing this F5 security should upgrade their platforms immediately to prevent exploitation.
- The Bleeping Computer: CVE-2022-41622 & CVE-2022-41800 Article
- Rapid7: CVE-2022-41622 & CVE-2022-41800 Report
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (firstname.lastname@example.org) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.