Rapperbot

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
RapperBot is a malicious software (malware) identified as a Distributed Denial of Service (DDoS) botnet first encountered by Fortinet in mid-June 2022. This malware, which brute-forces its way into Internet of Things (IoT) devices, primarily targeted Linux SSH servers. RapperBot is unique in that while it utilizes some elements from the Mirai code base, it mostly consists of original code. Notably, it was downloaded from an IP address (171[.]22[.]136[.]15) associated with RapperBot's DDoS activities. In a significant evolution, the threat actors behind RapperBot updated the malware to include the XMRig Monero miner, beginning a new campaign in January 2023. This update allowed the botnet to exfiltrate cryptocurrency from IoT devices running on Intel x64 architectures, a tactic known as cryptojacking. Interestingly, none of the new RapperBot samples with the integrated XMRig miner incorporated self-propagation capabilities, suggesting an alternate distribution mechanism might be in play. The bot developers merged the RapperBot C source code with the C++ code of the XMRig Monero miner, creating a combined bot client with mining capabilities. They initially deployed and executed a separate Monero cryptominer alongside the usual RapperBot binary. Additional scripts associated with RapperBot malware were downloaded from a different server, which further downloads MIPS script files to ensure persistence. This multi-pronged approach showcases the increasing sophistication and adaptability of the RapperBot malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Xmrig Miner
1
The XMRig miner is a malware that uses a complex process to infect systems and exploit them for mining operations. It begins with a dropper, which installs and executes the I2P tooling and the XMRig miner itself. The dropper then utilizes I2P to download a custom XMRig miner and manages the mining o
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ddos
Botnet
Bot
Fortiguard
Malware
SSH
denial-of-se...
Ddos Botnet
Denial of Se...
Cryptominer
Kaspersky
Backdoor
Youtube
Linux
dos
Loader
Cybercrime
Worm
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
MiraiUnspecified
3
Mirai is a type of malware that primarily targets Internet of Things (IoT) devices to form botnets, which are networks of private computers infected with malicious software and controlled as a group without the owners' knowledge. In early 2022, Mirai botnets accounted for over 7 million detections g
XmrigUnspecified
2
XMRig is a type of malware that is particularly harmful to computer systems and devices. It infiltrates the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Rapperbot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
IoT threats in 2023
CERT-EU
10 months ago
Overview of IoT threats in 2023 – GIXtools
Fortinet
a year ago
DDoS Botnets Target Zyxel Vulnerability CVE-2023-28771 | FortiGuard Labs
CERT-EU
a year ago
Critical Zyxel Firewall Injection Flaw Exploited to Conduct DDoS Attacks
CERT-EU
a year ago
Ex-FBI employee jailed for mishandling classified material
Fortinet
a year ago
2022 IoT Threat Review | FortiGuard Labs
CERT-EU
a year ago
Stories from the SOC – RapperBot, Mirai Botnet – C2, CDIR Drop over SSH | IT Security News
DARKReading
a year ago
New Mirai Variant Employs Uncommon Tactics to Distribute Malware
Securelist
a year ago
Kaspersky crimeware report: uncommon infection methods
CERT-EU
a year ago
RapperBot DDoS Botnet Expands into Cryptojacking | FortiGuard Labs
DARKReading
a year ago
RapperBot Crew Drops DDoS/CryptoJacking Botnet Collab
CERT-EU
a year ago
Andoryu Botnet Exploits Critical Ruckus Wireless Flaw for Widespread Attack
CERT-EU
a year ago
Cryptojacking added to updated RapperBot DDoS botnet
CERT-EU
a year ago
FBI-CISA warn critical PaperCut vulnerability being exploited against education sector
Securityaffairs
a year ago
Latest variant of RapperBot botnet adds cryptojacking capabilities
CERT-EU
a year ago
The latest variant of the RapperBot botnet adds cryptojacking capabilities | IT Security News