The RapperBot campaign is bringing in some fresh talent to its arsenal of malware beats, adding cryptomining capability to its existing distributed denial-of-service (DDoS) botnet malware in order to expand its financial horizons.
According to a RapperBot analysis released this week by Fortinet's FortiGuard Labs, the cryptojacking element of the malware is a customized variant of the well-known XMRig Monero miner, tailored specifically for Intel x64 machines.
"Initially, they deployed and executed a separate Monero cryptominer alongside the usual RapperBot binary," researchers explained in the posting. "But in late January 2023, they combined both functionalities into a single bot."
RapperBot's operators generally in the past have focused on compromising Internet of Things (IoT) devices by brute-forcing weak or default SSH or Telnet credentials, with the aim of enslaving them to a botnet. The Mirai-based botnet, active since last June, has been used in several DDoS campaigns, but clearly the gang saw an opportunity to get more bang for their buck by expanding what the botnet can accomplish.
"Financially motivated botnet operators are always on the lookout to extract the maximum value from machines infected by their botnets," explained FortiGuard researchers. "The threat actors behind the RapperBot botnet are no exception, as evident in their addition of cryptojacking capabilities to target x64 machines."
RapperBot feat. Cryptojacking: A Logical Team-Up
XMRig is an open-source Monero miner, and its incorporation by a DDoS botnet that specializes in infesting consumer IoT gear makes sense, according to FortiGuard researchers.
"Monero (XMR) is a popular cryptocurrency for illicit mining by threat actors because of its privacy-enhancing features," they noted in the post. "It is also designed to be more resistant to application-specific integrated circuit (ASIC) miners, which makes it possible to mine profitably with just consumer-grade hardware."
FortiGuard analysts first noticed that something was new with RapperBot in late January, when they collected a significantly larger x64 sample than is common for the malware.
"On further analysis, we verified that the bot developers had merged the RapperBot C source code with the C++ code of XMRig Monero miner to create a combined bot client with mining capabilities," they explained.
Merging the two together instead of deploying them separately offers a few advantages, according to the analysis. For one, it allows the operators to piggyback the mining capability onto the botnet's existing SSH brute-forcing or self-propagation capabilities — useful given that XMRig natively has neither. In this way, they don't have to follow behind the botnet infections to install the miner on each individual machine manually.
Also, "merging the bot and miner code might be an attempt to hide the mining pools and Monero wallet addresses using the same double-layer XOR encoding so they are not exposed in the clear," they added.
Custom Mods to Create a DDoS-Cryptojacking Hybrid
To create the hybrid binary, RapperBot's authors needed to make a few significant code changes, according to FortiGuard. For one, XMRig's ability to read external configuration files had to be removed, so that it would default to always using the configuration built into the botnet binary itself.
"The bot decodes the mining pools and Monero wallet addresses and updates the hardcoded configuration before starting the embedded miner," the researchers explained. "The miner is also configured to use multiple mining pools for both redundancy and additional privacy. Two of them are mining proxies hosted on the RapperBot C2 IP itself. This allows the threat actor to omit both the wallet addresses and actual mining pools from the miner configuration."
Other changes include the removal of XMRig's well-known default signal handlers, to avoid tipping off savvy victims to the activity; replaced "XMRig" with "asbuasdbu" in the version information to prevent easy identification; and, certain usage information has been removed, likely to evade detection by security products and competing miners from other cryptojacking groups.
The custom version of the miner also has a murderous streak, killing off any competing miners (and some other blacklisted processes) it finds on the machine in order to maximize mining efficiency.
"Based on the keywords used, the bot developers are more interested in terminating other miners than other IoT bots," according to FortiGuard. "This reaffirms their focus on cryptojacking vs DDoS attacks, at least on x64 machines."
How to Prevent RapperBot Infections
The RapperBot authors regularly evolve their malware, with previous analyses from FortiGuard researchers finding that they have added capabilities like the ability to maintain persistence on infected machines even after a reboot, and then enabling self-propagation via a remote binary downloader. Later, the malware authors removed the self-propagation feature and added one that allowed them persistent remote access to brute-forced SSH servers, the researchers noted.
However, the brute-forcing aspect of its initial access strategy makes it possible for RapperBot to block despite the changes, they explained. It's simple: good password hygiene.
"RapperBot continues to be a dangerous threat due to its continual updates," they noted in the latest posting. "As its primary infection vector of compromising SSH services using weak or default passwords remains the same, mitigating it by enabling public key authentication or setting strong passwords for all devices connected to the Internet is still effective in mitigating this threat."