RapperBot DDoS malware provides cryptojacking as new income stream

RapperBot DDoS malware adds cryptojacking as new revenue stream

New samples of the RapperBot botnet malware have added cryptojacking capabilites to mine for cryptocurrency on compromised Intel x64 machines.

The change occurred step by step, with builders first including the cryptomining element individually from the botnet malware. In direction of the top of January, the botnet and cryptomining functionalities had been mixed right into a single unit.

New RapperBot mining marketing campaign

Researchers at Fortinet’s FortiGuard Labs have been monitoring RapperBot exercise since June 2022 and reported that the Mirai-based botnet targeted on brute-forcing Linux SSH servers to recruit them for launching distributed denial-of-service (DDoS) assaults.

In November, the researchers discovered an up to date model of RapperBot that used a Telnet self-propagation mechanism and included DoS instructions that had been higher fitted to attacks on gaming servers.

FortiGuard Labs this week reported about an up to date variant of RapperBot that makes use of the XMRig Monero miner on Intel x64 architectures.

The cybersecurity agency says this marketing campaign has been lively since January and is primarily focusing on IoT gadgets.

Bash script fetching the two payloads separately
Bash script fetching the 2 payloads individually (Fortinet)

The miner’s code is now built-in into RapperBot, obfuscated with double-layer XOR encoding, which successfully hides the mining swimming pools and Monero mining addresses from analysts.

FortiGuard Labs discovered that the bot receives its mining configuration from the command and management (C2) server as an alternative of getting hardcoded static pool addresses and makes use of a number of swimming pools and wallets for redundancy.

The C2 IP tackle even hosts two mining proxies to additional obfuscate the hint. If the C2 goes offline, RapperBot is configured to make use of a public mining pool.

To maximise the mining efficiency, the malware enumerates operating processes on the breached system and terminates these similar to competitor miners.

Within the newest analyzed model of RapperBot, the binary community protocol for C2 communication has been revamped to make use of a two-layer encoding method to evade detection from community site visitors displays.

Additionally, the dimensions and intervals of requests despatched to the C2 server are randomized to make the trade stealthier, thus making simply recognizable patterns.

Encoded victim registration request sent to the C2
Encoded sufferer registration request (Fortinet)

Whereas the researchers didn’t observe any DDoS instructions despatched from the C2 server to the analyzed samples, they found that the most recent bot model helps the next instructions:

  • Carry out DDoS assaults (UDP, TCP, and HTTP GET)
  • Cease DDoS assaults
  • Terminate itself (and any little one processes)

RapperBot seems to be evolving rapidly and broaden the record of options to maximise the operator’s earnings.

To guard gadgets from RapperBot and comparable malware, customers are suggested to maintain software program up to date, disable pointless companies, change default passwords to one thing sturdy, and to make use of firewalls to dam unauthorized requests.

Leave a Reply

Your email address will not be published. Required fields are marked *