Pierluigi Paganini May 14, 2023

FortiGuard Labs Researchers spotted new samples of the RapperBot botnet that support cryptojacking capabilities.

FortiGuard Labs researchers have discovered new samples of the RapperBot bot that added cryptojacking capabilities.

Researchers from FortiGuard Labs first discovered the previously undetected RapperBot IoT botnet in August, and reported that it is active since mid-June 2022. The bot borrows a large portion of its code from the original Mirai botnet, but unlike other IoT malware families, it implements a built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai.

In November, Fortinet researchers discovered new samples of RapperBot used to build a botnet to launch Distributed DDoS attacks against game servers.

Experts also noticed that the most recent samples include the code to maintain persistence, which is rarely implemented in other Mirai variants.

Earlier samples of the malware had the brute-forcing credential list hardcoded into the binary, but from July the samples started retrieving the list from the C2 server.

Since mid-July, RapperBot started using self-propagation to maintaining remote access into the brute-forced SSH servers. The bot runs a shell command to replace remote victims’ ~/.ssh/authorized_keys with one containing the threat actors’ SSH public key with the comment “helloworld,”

Once stored public keys stored in ~/.ssh/authorized_keys, anyone with the corresponding private key can authenticate the SSH server without supplying a password.

The most significant difference between July and November campaisnswas the complete replacement of the code to carry out SSH brute force attacks with the more usual Telnet equivalent.

In the latest campaign, the authors of the the bot added support for cryptojacking, specifically for Intel x64 machines. Initially, they deployed and executed a separate Monero miner alongside the usual RapperBot binary, but starting from January 2023, they included the mining capabilities in the bot.

The latest campaign uses the same SSH public key observed during the first campaign observed in June 2022.

The researchers pointed out that there are some key differences between the bot versions employed in the campaign, including several significant updates to the malware functionality, such as the C2 communication protocol.

One cluster of ARM samples, tracked as Cluster A, supported a minimal set of functionalities. They only included three DoS attack types and no SSH brute forcing or self-propagation abilities. These samples included new code for information gathering and data exfiltration.

Another cluster of ARM samples (Cluster B), includes Cluster A’s features, and includes the SSH brute-forcer employed in the June 2022 campaign.

Once executed, RapperBot connects to a hardcoded C2 server and sends a registration request the contains system information.

Then it sends a keep-alive request to the C2 awaiting commands. The bot sends a request at random intervals of 60 to 600 seconds.

“To evade detection, the binary network protocol used to send these requests has been completely revised. Like its string encoding, it uses a two-layer approach to encode the information sent to the C2 server.” reads the report published by Fortinet. “The header data must first be decoded to reveal the location of the encoded information and the key needed to decode it.”

The miner code uses a hardcoded configuration built into the binary itself. The malware decodes the mining pools and Monero wallet addresses and updates the configuration before starting the embedded miner.

The miner uses multiple mining pools for both redundancy and additional privacy. Two mining pools are mining proxies hosted on the RapperBot C2 IP itself.

“This allows the threat actor to omit both the wallet addresses and actual mining pools from the miner configuration. Additionally, they can change this information on the proxy server without rebuilding and deploying new bots.” continues the report.

The bot kills off other miners by enumerating other running processes and attempts to check the presence of the associated binaries on disk searching for a set of keywords (i.e. xmrig, .rsync, miner, dota., moner). Then the malware terminates these processe and deletes the corresponding files.

“RapperBot continues to be a dangerous threat due to its continual updates to evade detection, as highlighted above.” concludes the report that includes indicators of compromise (IoCs). “As its primary infection vector of compromising SSH services using weak or default passwords remains the same, mitigating it by enabling public key authentication or setting strong passwords for all devices connected to the internet is still effective in mitigating this threat.”

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)