Summary

RapperBot is a malware family primarily targeting IoT devices. It has been observed in the wild since June 2022. Recently, the other variant of this botnet was noted by the Chinese cybersecurity team on 2025/1/28, which did a large-scale malicious attack on Chinese AI startup DeepSeek, which attracted my curiosity, So I looked for one variant, which is an early version, to analyze that belongs to the ARM architecture.

Technical analysis

This Rapperbot is the ELF for ARM (executable).

The hash MD5: EF9EBF4D5A1A44D0DB92DE06D3DCE7A1

This variant focuses on the TCP DoS attack and not on doing a brute force like a telnet server and not on doing vulnerability exploits.

Figure1-DoS attack

Before starting a DoS attack, the code creates a UDP socket, the port is 13568, connects it to a remote address, retrieves the local socket details, and then closes the socket, and finally returns the value 134744072.

Figure2-Retrieving socket detail

the value 134744072 from Figure 2 as a parameter to do the XOR algorithm with PID and PPID.

Figure3-XOR with 134744072,pid, ppid and clock time

The result from Figure 3 is a parameter to retrieve machine information. The wrapper has many choices to design the function for getting machine information, like the “/proc/stat” and “/proc/cpuinfo”.

Figure4-machine information snippet

And the botnet uses the getrlimit() function to retrieve resource limits for a process.

Figure5-getrlimit function

Like the other malware, Rapperbot has important and sensitive information hidden by a confusion technique with XOR in the botnet.

Figure6- asc_1C64C snippet

Rapperbot will decode the asc_1C64C strings before starting to do a DDoS attack.

Figure7-decode strings and kill something

The function sub_9B40 decodes the asc_1C64C.

Figure8-decode algorithm snippet

The function sub_83D4 kills something special.

Figure9-kill something snippet

It tries to create a TCP socket, sets a socket to non-blocking mode, and attempts to connect to the remote server.

Figure10-tcp for connecting to the remote server

This version of Rapperbot Not like Mirai and Hailbot supporting DDoS in many different ways, which has limited ability for DoS with TCP and UDP attacks.

Figure11-DoS attack snippet 1

Figure12- DoS attack snippet 2

Another DoS attack type is as follows.

Figure13- DoS attack snippet 3

This is funny and a new idea for delivering ads inside a botnet with the URL https[:]//www.youtube.com/watch?v=4fm_ZZn5qaw for “@2tallforfood - I Am Da Bag (Official Video)”, it seems that it is so popular with 2.78M subscribers.

Figure14-ads

Figure14-subscribers

It has “SSH-2.0-HELLOWORLD” strings but without SSH brute forcing.

Figure15-SSH strings

IOCs

EF9EBF4D5A1A44D0DB92DE06D3DCE7A1

Conclusion
This variant of the botnet seems to be developing a version from the above analysis, which has a limited ability for DoS attacks and the sensitive information obfuscated with XOR in the botnet.

End.

Support My Work:

**If you found this report helpful, consider supporting my work by buying me a coffee!** Your contribution helps me dedicate more time to malware analysis and creating free resources for the cybersecurity community.