RapperBot Targets DVRs to Hijack Surveillance Cameras and Record Video
When the NICT CSRI analysis team presented their three-year investigation into the RapperBot virus at Botconf 1, an international conference on botnets and malware hosted in Angers, France in May 2025, they made a startling discovery.
This Mirai variant has evolved into a sophisticated threat specifically targeting Digital Video Recorders (DVRs), devices connected to surveillance cameras for remote video recording and control.
Unveiling a Persistent Threat to IoT Security
The team’s findings, detailed in their presentation “Unveiling the DVR Ecosystem: A 3-Year Investigation into Global IoT Bot Recruitment Campaigns.”
It highlight how DVRs’ inherent vulnerabilities such as weak default passwords, open Telnet or HTTP ports on older devices, and infrequent firmware updates make them prime targets for cyber attackers aiming to infiltrate and exploit Internet of Things (IoT) ecosystems.
RapperBot employs a multi-pronged approach to compromise DVRs, utilizing brute force login attacks with credential lists where 40% are DVR-specific, alongside exploiting known Common Vulnerabilities and Exposures (CVEs) and zero-day vulnerabilities through administrative interfaces.
Sophisticated Attack Strategies
A notable aspect of RapperBot’s strategy, as observed in NICTER darknet monitoring data from October to December 2024, is its use of Recon-type scanners to identify device types post-login, relaying information to a report server before a tailored Loader exploits specific vulnerabilities.
This intricate infection chain, which ultimately installs malware via a download server, complicates efforts to analyze and mitigate zero-day attacks since attackers often verify device responses to avoid honeypot detection.
Furthermore, RapperBot’s impact extends beyond infiltration, as it orchestrates Distributed Denial of Service (DDoS) attacks globally, with a notable assault on the social media platform X on March 10, 2025 (UTC), correlating with service disruptions as per Cisco ThousandEyes Availability plots.
Recent updates between March and April 2025 introduced encrypted C2 server name resolution using 32 random FQDNs on public DNS and added HTTPS-based DDoS capabilities, blending malicious traffic with normal web activity by randomizing TLS signature algorithms to evade fingerprint detection like JA4.
According to the Report, The malware’s ability to target DVRs from manufacturers like ITX Security and CTRing, often sold under over 28 OEM brands, underscores the challenge of comprehensive vulnerability management, compounded by market fragmentation.
In a 2022 collaboration with a domestic retailer, NICT uncovered four vulnerabilities, including two zero-days, in ITX Security DVRs, leading to patched firmware an example of the proactive measures needed.
As RapperBot continues to evolve, with variants categorized by scanner implementation (Recon, Telnet, SSH, and No Scan), the NICT CSRI team pledges ongoing analysis and collaboration with distributors and research bodies to enhance end-user awareness and bolster IoT security against such persistent botnet threats.
Indicators of Compromise (IoC)
| RapperBot Version | Type | SHA256 |
|---|---|---|
| February 2025 | No Scan | 7e536cc15ebac6dbbf8e597dc41a20fac460c892cb5488849ed221a6b352f6a6 |
| February 2025 | Telnet | ae3d740fc5a9fac12d1ef7c9204a0e25574d095a803baa988e093b8f577fb3bc |
| February 2025 | SSH | cc022c57fe74fbb9cc58ea57a4e1debe70fbc5f589b4f2f1987f36989eb4cc85 |
| February 2025 | Recon | d822048a8eb925046edc4e5e72c41d82c56093dd87bb22f49685326d85986769 |
| April 2025 | No Scan | 200e571bc0a6d2562563022dfcc60ac5ac8c2e40eb73a053be8555349a674a69 |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
