Jump to content
  • RapperBot DDoS malware adds cryptojacking as new revenue stream

    alf9872000

    • 408 views
    • 3 minutes
     Share


    • 408 views
    • 3 minutes

    New samples of the RapperBot botnet malware have added cryptojacking capabilites to mine for cryptocurrency on compromised Intel x64 machines.

     

    The change occurred gradually, with developers first adding the cryptomining component separately from the botnet malware. Towards the end of January, the botnet and cryptomining functionalities were combined into a single unit.

    New RapperBot mining campaign

    Researchers at Fortinet's FortiGuard Labs have been tracking RapperBot activity since June 2022 and reported that the Mirai-based botnet focused on brute-forcing Linux SSH servers to recruit them for launching distributed denial-of-service (DDoS) attacks.

     

    In November, the researchers found an updated version of RapperBot that used a Telnet self-propagation mechanism and included DoS commands that were better suited for attacks on gaming servers.

     

    FortiGuard Labs this week reported about an updated variant of RapperBot that uses the XMRig Monero miner on Intel x64 architectures.

     

    The cybersecurity firm says this campaign has been active since January and is primarily targeting IoT devices.

     

    fetch-loads.png

    Bash script fetching the two payloads separately (Fortinet)

     

    The miner's code is now integrated into RapperBot, obfuscated with double-layer XOR encoding, which effectively hides the mining pools and Monero mining addresses from analysts.

     

    FortiGuard Labs found that the bot receives its mining configuration from the command and control (C2) server instead of having hardcoded static pool addresses and uses multiple pools and wallets for redundancy.

     

    The C2 IP address even hosts two mining proxies to further obfuscate the trace. If the C2 goes offline, RapperBot is configured to use a public mining pool.

     

    To maximize the mining performance, the malware enumerates running processes on the breached system and terminates those corresponding to competitor miners.

     

    In the latest analyzed version of RapperBot, the binary network protocol for C2 communication has been revamped to use a two-layer encoding approach to evade detection from network traffic monitors.

     

    Also, the size and intervals of requests sent to the C2 server are randomized to make the exchange stealthier, thus making easily recognizable patterns.

     

    enc-req.jpg

    Encoded victim registration request (Fortinet)

     

    While the researchers did not observe any DDoS commands sent from the C2 server to the analyzed samples, they discovered that the latest bot version supports the following commands:

     

    • Perform DDoS attacks (UDP, TCP, and HTTP GET)
    • Stop DDoS attacks
    • Terminate itself (and any child processes)

     

    RapperBot appears to be evolving quickly and expand the list of features to maximize the operator's profits.

     

    To protect devices from RapperBot and similar malware, users are advised to keep software updated, disable unnecessary services, change default passwords to something strong, and to use firewalls to block unauthorized requests.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...