RapperBot DDoS malware adds cryptojacking as new revenue stream

New samples of the RapperBot botnet malware have added cryptojacking capabilites to mine for cryptocurrency on compromised Intel x64 machines.

The change occurred gradually, with developers first adding the cryptomining component separately from the botnet malware. Towards the end of January, the botnet and cryptomining functionalities were combined into a single unit.

New RapperBot mining campaign

Researchers at Fortinet's FortiGuard Labs have been tracking RapperBot activity since June 2022 and reported that the Mirai-based botnet focused on brute-forcing Linux SSH servers to recruit them for launching distributed denial-of-service (DDoS) attacks.

In November, the researchers found an updated version of RapperBot that used a Telnet self-propagation mechanism and included DoS commands that were better suited for attacks on gaming servers.

FortiGuard Labs this week reported about an updated variant of RapperBot that uses the XMRig Monero miner on Intel x64 architectures.

The cybersecurity firm says this campaign has been active since January and is primarily targeting IoT devices.

The miner's code is now integrated into RapperBot, obfuscated with double-layer XOR encoding, which effectively hides the mining pools and Monero mining addresses from analysts.

FortiGuard Labs found that the bot receives its mining configuration from the command and control (C2) server instead of having hardcoded static pool addresses and uses multiple pools and wallets for redundancy.

The C2 IP address even hosts two mining proxies to further obfuscate the trace. If the C2 goes offline, RapperBot is configured to use a public mining pool.

To maximize the mining performance, the malware enumerates running processes on the breached system and terminates those corresponding to competitor miners.

In the latest analyzed version of RapperBot, the binary network protocol for C2 communication has been revamped to use a two-layer encoding approach to evade detection from network traffic monitors.

Also, the size and intervals of requests sent to the C2 server are randomized to make the exchange stealthier, thus making easily recognizable patterns.

While the researchers did not observe any DDoS commands sent from the C2 server to the analyzed samples, they discovered that the latest bot version supports the following commands:

• Perform DDoS attacks (UDP, TCP, and HTTP GET)
• Stop DDoS attacks
• Terminate itself (and any child processes)

RapperBot appears to be evolving quickly and expand the list of features to maximize the operator's profits.

To protect devices from RapperBot and similar malware, users are advised to keep software updated, disable unnecessary services, change default passwords to something strong, and to use firewalls to block unauthorized requests.