Rapperbot

Malware updated 4 months ago (2024-05-04T22:18:35.033Z)

Download STIX

Preview STIX

RapperBot is a malicious software (malware) identified as a Distributed Denial of Service (DDoS) botnet first encountered by Fortinet in mid-June 2022. This malware, which brute-forces its way into Internet of Things (IoT) devices, primarily targeted Linux SSH servers. RapperBot is unique in that while it utilizes some elements from the Mirai code base, it mostly consists of original code. Notably, it was downloaded from an IP address (171[.]22[.]136[.]15) associated with RapperBot's DDoS activities. In a significant evolution, the threat actors behind RapperBot updated the malware to include the XMRig Monero miner, beginning a new campaign in January 2023. This update allowed the botnet to exfiltrate cryptocurrency from IoT devices running on Intel x64 architectures, a tactic known as cryptojacking. Interestingly, none of the new RapperBot samples with the integrated XMRig miner incorporated self-propagation capabilities, suggesting an alternate distribution mechanism might be in play. The bot developers merged the RapperBot C source code with the C++ code of the XMRig Monero miner, creating a combined bot client with mining capabilities. They initially deployed and executed a separate Monero cryptominer alongside the usual RapperBot binary. Additional scripts associated with RapperBot malware were downloaded from a different server, which further downloads MIPS script files to ensure persistence. This multi-pronged approach showcases the increasing sophistication and adaptability of the RapperBot malware.

Description last updated: 2024-05-04T21:23:07.215Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ddos

Malware

Fortiguard

Botnet

Bot

Credentials

Ddos Botnet

Denial of Se...

denial-of-se...

Cryptominer

SSH

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Mirai	Unspecified	3	Mirai is a type of malware that has been notably used to create botnets, networks of infected devices controlled by an attacker. In early 2022, Mirai botnets accounted for over 7 million detections, although there was a subsequent 9% quarter-on-quarter drop in detections in Hong Kong. The malware is
Xmrig	Unspecified	2	XMRig is a type of malware that infiltrates systems to exploit them for malicious activities, such as cryptocurrency mining, DDOS attacks, spam distribution, and data theft. The dropper, which orchestrates the installation and execution of this malware, uses legitimate applications like the I2P tool

Source Document References

Information about the Rapperbot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	IoT threats in 2023
CERT-EU	a year ago	Overview of IoT threats in 2023 – GIXtools
Fortinet	a year ago	DDoS Botnets Target Zyxel Vulnerability CVE-2023-28771 \| FortiGuard Labs
CERT-EU	a year ago	Critical Zyxel Firewall Injection Flaw Exploited to Conduct DDoS Attacks
CERT-EU	a year ago	Ex-FBI employee jailed for mishandling classified material
Fortinet	2 years ago	2022 IoT Threat Review \| FortiGuard Labs
CERT-EU	2 years ago	Stories from the SOC – RapperBot, Mirai Botnet – C2, CDIR Drop over SSH \| IT Security News
DARKReading	a year ago	New Mirai Variant Employs Uncommon Tactics to Distribute Malware
Securelist	a year ago	Kaspersky crimeware report: uncommon infection methods
CERT-EU	a year ago	RapperBot DDoS Botnet Expands into Cryptojacking \| FortiGuard Labs
DARKReading	a year ago	RapperBot Crew Drops DDoS/CryptoJacking Botnet Collab
CERT-EU	a year ago	Andoryu Botnet Exploits Critical Ruckus Wireless Flaw for Widespread Attack
CERT-EU	a year ago	Cryptojacking added to updated RapperBot DDoS botnet
CERT-EU	a year ago	FBI-CISA warn critical PaperCut vulnerability being exploited against education sector
Securityaffairs	a year ago	Latest variant of RapperBot botnet adds cryptojacking capabilities
CERT-EU	a year ago	The latest variant of the RapperBot botnet adds cryptojacking capabilities \| IT Security News