Rapperbot

RapperBot is a malicious software (malware) identified as a Distributed Denial of Service (DDoS) botnet first encountered by Fortinet in mid-June 2022. This malware, which brute-forces its way into Internet of Things (IoT) devices, primarily targeted Linux SSH servers. RapperBot is unique in that while it utilizes some elements from the Mirai code base, it mostly consists of original code. Notably, it was downloaded from an IP address (171[.]22[.]136[.]15) associated with RapperBot's DDoS activities. In a significant evolution, the threat actors behind RapperBot updated the malware to include the XMRig Monero miner, beginning a new campaign in January 2023. This update allowed the botnet to exfiltrate cryptocurrency from IoT devices running on Intel x64 architectures, a tactic known as cryptojacking. Interestingly, none of the new RapperBot samples with the integrated XMRig miner incorporated self-propagation capabilities, suggesting an alternate distribution mechanism might be in play. The bot developers merged the RapperBot C source code with the C++ code of the XMRig Monero miner, creating a combined bot client with mining capabilities. They initially deployed and executed a separate Monero cryptominer alongside the usual RapperBot binary. Additional scripts associated with RapperBot malware were downloaded from a different server, which further downloads MIPS script files to ensure persistence. This multi-pronged approach showcases the increasing sophistication and adaptability of the RapperBot malware.