The botnet turns your Linux into a Monero mine.
New samples of the RapperBot botnet added cryptojacking capabilities to mine cryptocurrency on compromised Intel x64 machines.
The change happened gradually, the developers first added the cryptomining component separately from the malware, and by the end of January the botnet and cryptomining functions were combined into a single whole.
Researchers at Fortinet's FortiGuard Labs have been monitoring RapperBot activity since June 2022 and report that the updated RapperBot uses the XMRig Monero miner on the Intel x64 architecture. The information security company says that this campaign has been active since January and is primarily aimed at IoT devices.
The miner code is now integrated into RapperBot, obfuscated with two-level XOR coding that effectively hides mining pools and Monero mining addresses from analysts.
FortiGuard Labs discovered that the bot gets its mining configuration from a command and control (C2) server instead of hardcoded static pool addresses and uses multiple pools and wallets for backing up.
To maximize mining performance, the malware enumerates the running processes on the compromised system and kills processes associated with other competing miners.
Although the researchers did not find any DDoS commands sent from the C2 server to the analyzed samples, they found that the latest version of the bot supports the following commands:
Performing DDoS attacks (UDP, TCP and HTTP GET);
Stop DDoS attacks;
Shutting down the work (and any child processes).
RapperBot seems to be evolving rapidly and expanding its list of features to maximize operator profits.
To protect devices from RapperBot and similar malware, users are advised to update software, disable unnecessary services, change default passwords to stronger ones, and use firewalls to block unauthorized requests.
Earlier in 2022, information security specialists from Fortinet FortiGuard Labs discovered new RapperBot samples that were used to create a botnet capable of launching DDoS attacks on game servers. It is worth noting that it was Fortinet experts who were the first to spot the malware in 2022. Back then, it was designed only for brute-force Linux SSH servers.