Malware Analysis Space: Rapperbot how to improve and expand its ability based on an early version static analysis

Summary

RapperBot is a malware family primarily targeting IoT devices. It has been observed in the wild since June 2022. Recently, the other variant of this botnet was noted by the Chinese cybersecurity team on 2025/1/28, which did a large-scale malicious attack on Chinese AI startup DeepSeek, which attracted my curiosity, so I looked for another variant, which was improved based on an early version.

Technical analysis

This Rapperbot is the ELF for ARM (executable).

The hash MD5: 139052977D3A5E9246A51D726DAE32BD

Improved abilities and the design

such as “EF9EBF4D5A1A44D0DB92DE06D3DCE7A1” without the ability of brute forcing. I did an analysis report before; when it successfully cracked the target, it would use the wget command to download malware itself and expand its attack surface from hxxp://109.206.243.207/d. And the variant has no web vulnerabilities to exploit, which is used by the other botnet, like EnemyBot. It means that the RapperBot group keeps updating their abilities of malware and expanding the infection to the IoT devices; they had their basic design based on the reserve strings. And they still keep the YouTube address hxxps://www.youtube.com/watch?v=4fm_ZZn5qaw. What is the motivation? Ads?

Figure1- brute-forcing strings and malware addresses

obviously the variant of RapperBot improved from strings like “aAdmin7ujmko0ad” and “aAdministrators” embedded in binary, which was used to do brute forcing for the SSH client, and the ARM samples,Move to the logic design of the variant. Compared to an early version, I found that the code had changed a little; it only added a variable v13 saving the result from the function and passed the variable as a parameter to a new function named sub_C3D8(v13). The wrapper will expand the whole and new abilities, which they would like to do for a new variant.

Figure2-expanding new abilities

In the branch path of logic design in sub_C3D8(v13), downloading the attack sample and doing a brute force are two different conditions; they are both in a do-while loop.

IOC

139052977D3A5E9246A51D726DAE32BD

Conclusion
Until now I have not found the attack samples shared, which did a DDoS attack on DeepSeek, but from both samples, RapperBot seems to continually update their abilities. The variant was focused on SSH brute force and furthermore to expand the attack surface. The campaign they did was hidden threat.

End.

Support My Work:

**If you found this report helpful, consider supporting my work by buying me a coffee!** Your contribution helps me dedicate more time to malware analysis and creating free resources for the cybersecurity community.