Rapperbot

Malware updated a month ago (2024-11-29T13:44:02.219Z)
Download STIX
Preview STIX
RapperBot is a malicious software (malware) identified as a Distributed Denial of Service (DDoS) botnet first encountered by Fortinet in mid-June 2022. This malware, which brute-forces its way into Internet of Things (IoT) devices, primarily targeted Linux SSH servers. RapperBot is unique in that while it utilizes some elements from the Mirai code base, it mostly consists of original code. Notably, it was downloaded from an IP address (171[.]22[.]136[.]15) associated with RapperBot's DDoS activities. In a significant evolution, the threat actors behind RapperBot updated the malware to include the XMRig Monero miner, beginning a new campaign in January 2023. This update allowed the botnet to exfiltrate cryptocurrency from IoT devices running on Intel x64 architectures, a tactic known as cryptojacking. Interestingly, none of the new RapperBot samples with the integrated XMRig miner incorporated self-propagation capabilities, suggesting an alternate distribution mechanism might be in play. The bot developers merged the RapperBot C source code with the C++ code of the XMRig Monero miner, creating a combined bot client with mining capabilities. They initially deployed and executed a separate Monero cryptominer alongside the usual RapperBot binary. Additional scripts associated with RapperBot malware were downloaded from a different server, which further downloads MIPS script files to ensure persistence. This multi-pronged approach showcases the increasing sophistication and adaptability of the RapperBot malware.
Description last updated: 2024-05-04T21:23:07.215Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ddos
Malware
Fortiguard
Botnet
Bot
Credentials
Ddos Botnet
Xmrig
Denial of Se...
denial-of-se...
Cryptominer
SSH
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Mirai Malware is associated with Rapperbot. Mirai is a type of malware that primarily targets Internet of Things (IoT) devices, converting them into a botnet, which is then used to launch Distributed Denial of Service (DDoS) attacks. In early 2022, Mirai botnets accounted for over seven million detections worldwide, though there was a 9% quarUnspecified
3
Source Document References
Information about the Rapperbot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more