Cybersecurity researchers have detected a significant surge in UDP flood traffic from compromised network video recorders (NVRs) and other edge devices. Bitsight analysts have identified this as the work of a new botnet they call RapperBot.
RapperBot uses a rapid kill chain to infect devices and turn them into weapons for distributed denial-of-service (DDoS) attacks. The attackers scan for exposed devices, exploit default credentials, and then deliver a malicious payload disguised as a firmware update. Once a device is infected, it immediately begins sending overwhelming volumes of packets to targets, with individual devices reaching over 1 Gbps in throughput.
The malware is designed to evade detection by running entirely in memory after mounting a remote network file share to fetch and execute its binary. This strategy exploits the minimal BusyBox environment on many IoT devices, which lacks standard download tools. RapperBot also uses encrypted DNS records to communicate with its command-and-control servers, making it harder to track.
RapperBot's infection process targets the administrative port of vulnerable NVRs. Attackers exploit a path traversal flaw to steal credentials, then send a fake firmware update payload. This payload instructs the device to mount a remote share and execute the malicious script, which then self-deletes. This allows the botnet to quickly and stealthily turn a benign device into an active DDoS participant.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
