1. Overview
In early January 2023, QiAnXin's Threat Intelligence Center threat monitoring system monitored a botnet activity incident. After analyzing the botnet, which belongs to the previously disclosed botnet family Rapper, the structure of the new version of the sample found in this incident was significantly different from the previously disclosed sample, and analysts found that attackers behind this incident started to use xmrig for mining activities.
Data of our threat monitoring system shows that this botnet sample has recently started to spread widely, and the general trend of the spread is as follows:
2. Sample Analysis
Here we analyze similarities and differences between this sample and the previous Rapper family. Last year's sample revealed that the Rapper family reused a lot of Mirai source code, while the sample found in this case has a completely different basic structure from the Mirai source code, discarding the old structure and using a newly written code structure.
Old version of Rapper with Mirai-like structure:
This is the new version of Rapper sample structure:
The new version of the Rapper sample includes: self-deletion, prohibition of watchdog rebooting devices, encryption of some malicious strings, and propagation via SSH weak password brute-force cracking. Unlike Mirai, built-in weak passwords are plaintext in the sample. Valid credentials are uploaded to the C2 server via a separate port after successfully brute-cracking a SSH server. The sample also attempts to self-propagate via a remote binary downloader:
In addition, the sample can carry out DDoS attacks according to attacks’ commands, supporting two types of attacks: udpflood and tcpflood.
Through the above analysis, the Rapper botnet sample found lately is likely to be still in development, because its supported operations are few and no command from attackers was detected when analyzing.
3. Mining Activities
Analysts found that the group in this incident had distributed two shell script files, the first one executes “wget” command to download a new botnet sample:
The second script file, in addition to distributing this new botnet sample, will download xmrig from the attacker's server for mining. Before mining, the script will first set the maximum memory page based on the number of threads supported by the CPU, in order to maximize CPU resource utilization:
Through the above analysis, we can learn that in addition to being controlled by the botnet, compromised hosts also have to do heavy mining work, which will consume almost all the computer resources of the compromised hosts, which will affect the efficiency of DDoS attacks. So we can conclude that DDoS may not be a major business of the group, or the group has already controlled a large number of hosts so there is no need to make single compromised host be fully efficient.
4. IoCs
C&C:
109.206.243.207:5555
109.206.243.207:6667
MD5:
2A0DACE3CFE5115995F26768F711F011
E996BBE2EBDE333EE6C7BA78E4FB5E63
9CD7C3380A41E08B4730FA19E110AF06
9F1ACF1AF7495CC4468F420C169BF916
C2FB307AEE872DF475A7345D641D72DA
MiningPool:
pool.hashvault.pro:80