A newly uncovered variant of the notorious RapperBot malware is covertly commandeering internet-connected devices—particularly outdated network video recorders (NVRs)—and transforming them into a powerful distributed denial-of-service (DDoS) army in mere moments.
Security researchers have detailed a sophisticated exploit chain that leverages zero-day vulnerabilities, outdated firmware, and alternative DNS infrastructures to orchestrate attacks exceeding terabit-scale traffic volumes.
Within seconds of scanning the internet for exposed web servers, the RapperBot scanning infrastructure fingerprints vulnerable DVR and NVR models.
Upon identifying a target, the malware executes a two-stage exploit: a path-traversal flaw in the device’s HTTP service to extract administrator credentials, followed by an authenticated push of a fake firmware update via TCP port 34567.
This “update” mounts a remote NFS share and runs the malicious payload directly in memory, leaving no persistent footprint on the filesystem.
A key twist lies in the choice of NFS for payload delivery: many embedded devices lack tools like wget or curl, but support NFS mounting. By exploiting this limitation, attackers evade common detection mechanisms and ensure rapid deployment of the malware binary.
Instead of hard-coding command-and-control (C2) IP addresses, the latest RapperBot versions use a custom-encrypted DNS TXT record mechanism.
The malware randomly generates one of 32 fully qualified domain names under unrecognized top-level domains (such as .live and .info), then directly queries OpenNIC resolvers to retrieve an encrypted TXT record containing a pipe-delimited list of C2 servers.
A bespoke decryption routine—resembling a streamlined RC4 key scheduling and a base-56 decoding step—unveils the real C2 IPs in memory. This innovation thwarts conventional DNS monitoring and takedown efforts.
Blindingly Fast DDoS Weaponization
Once a C2 connection is established—often on port 4444 but encompassing a broad port range including 1935, 3478, 5000, and 37777—the botnet controller issues commands for network scanning and massive UDP-flood attacks on port 80.
Further packet analysis also showed TCP scans to random IP addresses, mainly on port 23.
Tests have shown NVRs can launch high-volume packet streams almost immediately after infection. Aged 10 Mbit hubs can even act as passive sniffers, limiting outbound traffic yet mirroring all traffic, enabling stealthy analysis of attack patterns.
Victim organizations have reported sudden surges of traffic up to multi-terabit per second levels, with RapperBot implicated in record-setting assaults against major platforms.
Its ability to conscript thousands of old DVRs worldwide ensures a constantly replenished botnet, since devices rebooted lose the malware and are reinfected within minutes.
Researchers have observed periodic rotation of scanner, repository, and C2 IP addresses. Malware drop sites now support FTP and HTTP access on port 21, ensuring compatibility with minimal busybox environments.
Domain pivots—such as v1s.co and zya.tf—trace back to multiple repository IPs, revealing a geographically diverse but interconnected infrastructure.
On August 19, 2025, U.S. authorities charged an Oregon resident in connection with operating the RapperBot network, as part of Operation PowerOFF.
The below chart just shows the most recent changes, as there were over 60 IPs involved since the end of March.
A temporary disruption occurred, causing bots to repeatedly attempt reconnection, but experts caution the botnet is likely to reemerge under new addresses.
Defending Against the Next Wave
- Replace or isolate end-of-life devices: Legacy NVRs and DVRs remain prime targets.
- Disable UPnP and scrutinize router port mappings to prevent inadvertent exposure.
- Enforce strong, unique passwords and rotate default credentials on all networked devices.
- Monitor DNS traffic for anomalous TXT queries to unauthorized resolvers.
- Deploy IDS/IPS solutions capable of detecting unusual UDP floods and scanning activity.
While the internet’s “unpatchable” scope ensures such threats will persist, awareness of RapperBot’s blitzkrieg-style takeover can empower network defenders to anticipate and blunt the next flash DDoS onslaught.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
