Threat Research

RapperBot DDoS Botnet Expands into Cryptojacking | FortiGuard Labs

Securonix

FortiGuard Labs documents RapperBot expanding from a DDoS botnet into cryptojacking on Intel x64 machines by merging the bot with an XMRig miner. The campaign updates include a revamped C2 protocol, multi-layer encoding to evade detection, and SSH-key persistence, with ARM variants showing evolving capabilities. Hashtags: #RapperBot #XMRig

Keypoints

  • RapperBot is expanding from its traditional IoT/DDoS role to cryptomining on Intel x64 devices by merging RapperBot with the XMRig Monero miner.
  • New campaigns use a revamped C2 communication protocol with randomized request sizes and a dual-layer XOR encoding to hinder detection.
  • An enduring indicator in samples is a YouTube URL, and SSH public keys are added to infected hosts to maintain backdoor access persistently.
  • ARM variants (Cluster A and Cluster B) show distinct capabilities, including minimal DoS functionality in some samples and SSH brute-forcing in others.
  • The mining functionality is designed for multiple pools and includes hardcoded and proxy-based mining configurations to hide wallet addresses.
  • FortiGuard Labs emphasizes mitigation through strong authentication (public-key) and ongoing monitoring, noting protection via Fortinet products.

MITRE Techniques

  • [T1110] Brute Force – Used to propagate by brute-forcing devices with weak or default SSH or Telnet credentials. Quote: ‘brute-forcing devices with weak or default SSH or Telnet credentials’
  • [T1556.003] Modify Authentication – SSH Authorized Keys – Persistence by adding an SSH public key to ~/.ssh/authorized_keys to maintain backdoor access. Quote: ‘adding an SSH public key to ~/.ssh/authorized_keys to maintain backdoor access to infected machines’
  • [T1059.004] Command and Scripting Interpreter: Bash – Cryptomining activity begins with Bash scripts downloading and executing miners. Quote: ‘Bash scripts … downloaded and executed separate XMRig crypto miners (example hash: …)’
  • [T1027] Obfuscated/Compressed Files and Information – Two-layer XOR encoding used to hide strings and evade detection. Quote: ‘two-layer approach to encode the information … first layer using multi-byte XOR keys … The second layer uses the same style of single-byte XOR encoding’
  • [T1071] Command and Control – Application Layer Protocol – C2 communication with a revamped protocol, including registration with a hardcoded C2 server. Quote: ‘connects to a hardcoded C2 server and sends a registration request (type 1) …’
  • [T1496] Resource Hijacking – Cryptojacking to mine cryptocurrency on infected machines. Quote: ‘abusing the resources of infected Intel x64 machines to mine for cryptocurrency’
  • [T1562.001] Impair Defenses – Termination or suppression of competing mining processes to maximize mining efficiency. Quote: ‘to maximize mining efficiency, it kills off other miners by enumerating other running processes and attempts to scan the associated binaries on disk for the following blacklisted keywords’

Indicators of Compromise

  • [File] RapperBot – 7c9e6d63bc1f26e9c8a8703439e12de12da9892f2d6cd9bda5f45ec00c98a29f, 912e151641f20f9d689c6ea26cf6f11d5ee0b6fdc4d4a1179fac413391748c65 and 4 more hashes
  • [File] RapperBot (x64) – f06d698967cee77e5a7bf9835b0a93394097e7590c156ed0d8c6304345701cfa
  • [File] XMRig miner – 0ad68d5804804c25a6f6f3d87cc3a3886583f69b7115ba01ab7c6dd96a186404
  • [URL] Downloads – hxxp://109[.]206[.]243[.]207/d, hxxp://109[.]206[.]243[.]207/ssh/arm4
  • [IP] C2 servers – 109[.]206[.]243[.]207, 171[.]22[.]136[.]15
  • [URL] Mining pools – pool.hashvault.pro:80, 109[.]206[.]243[.]207:31271
  • [Monero Wallet] Wallets – 43Zs6jyniktVUNfiN8NY16TrvFKWbx3qogoRvstuquZdVA8EXvhqhz1W4hUzpjQXHAf3pDQ8UXxegFh8G26uCycKPz41ceW, 47RupsxSjeHb4sHMwJ681vbjpFHAwXg6kMn1znbioqy96Qj9j2VuHrD2mXsEReELEdjRsDVKBK3Ru3diW3AgZ41Z7mzDwb4
  • [SSH Key] Authorized Key – AAAAB3NzaC1yc2EAAAADAQABAAACAQC/yU0iqklqw6etPlUon4mZzxslFWq8G8sRyluQMD3i8tpQWT2cX/mwGgSRCz7HMLyxt87olYIPemTIRBiyqk8SLD3ijQpfZwQ9vsHc47hdTBfj89FeHJGGm1KpWg8lrXeMW+5jIXTFmEFhbJ18wc25Dcds4QCM0DvZGr/Pg4+kqJ0gLyqYmB2fdNzBcU05QhhWW6tSuYcXcyAz8Cp73JmN6TcPuVqHeFYDg05KweYqTqThFFHbdxdqqrWy6fNt8q/cgI30NBa5W2LyZ4b1v6324IEJuxImARIxTc96Igaf30LUza8kbZyc3bewY6IsFUN1PjQJcJi0ubVLyWyyJ554Tv8BBfPdY4jqCr4PzaJ2Rc1JFJYUSVVT4yX2p7L6iRpW212eZmqLMSoR5a2a/tO2s1giIlb+0EHtFWc2QH7yz/ZBjnun7opIoslLVvYJ9cxMoLeLr5Ig+zny+IEA3x090xtcL62X0jea6btVnYo7UN2BARziisZze6oVuOTCBijuyvOM6ROZ6s/wl4CQAOSLDeFIP5L1paP9V1XLaYLDBAodNaUPFfTxggH3tZrnnU8Dge5/1JNa08F3WNUPM1S1x8L2HMatwc82x35jXyBSp3AMbdxMPhvyYI8v2J1PqJH8OqGTVjdWe40mD2osRgLo1EOfP/SFBTD5VEo95K2ZLQ== system key generated by server 20220709

Source: https://www.fortinet.com/blog/threat-research/rapperbot-ddos-botnet-expands-into-cryptojacking

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint