Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
After FortiGuard Labs reported on RapperBot in our previous article titled So RapperBot, What Ya Bruting For? in August 2022, there was a significant drop in the number of samples collected in the wild. But in early October 2022, new samples with the same distinctive C2 protocol used by RapperBot were detected.
C2 protocol – RapperBot campaign
1st Attack phase – December 12th, 2022
RapperBot attack was detected at 00:00 UTC and was repeated on the same day at 01:00 AM UTC. Sample source IP was from Thailand, the C2 domain was from Japan and the attacker’s email address was from Japan. The malicious URLs located in these samples have the following fake URLs: http://188.8.131.52/index_index, http://184.108.40.206/index_index, http://195-154-27-33/index_index and http://195-154-27-32/index_index (see Table 1).
URLs associated with RapperBot 3rd Attack phase – December 17th, 2022
There were two new samples of RapperBot in the wild, both from Japan. The C2 domain was from Japan, again and the malicious URL was http://195-154-27-33/index_index/a4f3b7d4c1e. No new malware was observed to this date.
Source: New RapperBot Campaign – We Know What You Bruting for this Time - AlienVault - Open Threat Exchange