After FortiGuard Labs reported on RapperBot in our previous article titled So RapperBot, What Ya Bruting For? in August 2022, there was a significant drop in the number of samples collected in the wild. But in early October 2022, new samples with the same distinctive C2 protocol used by RapperBot were detected.

C2 protocol – RapperBot campaign

1st Attack phase – December 12th, 2022

RapperBot attack was detected at 00:00 UTC and was repeated on the same day at 01:00 AM UTC. Sample source IP was from Thailand, the C2 domain was from Japan and the attacker’s email address was from Japan. The malicious URLs located in these samples have the following fake URLs: http://195.154.27.32/index_index, http://195.154.27.33/index_index, http://195-154-27-33/index_index and http://195-154-27-32/index_index (see Table 1).

URLs associated with RapperBot 3rd Attack phase – December 17th, 2022

There were two new samples of RapperBot in the wild, both from Japan. The C2 domain was from Japan, again and the malicious URL was http://195-154-27-33/index_index/a4f3b7d4c1e. No new malware was observed to this date.

‍

Source: New RapperBot Campaign – We Know What You Bruting for this Time - AlienVault - Open Threat Exchange