Cryptojacking added to updated RapperBot DDoS botnet

Threat actors behind the RapperBot botnet have updated the malware to include the XMRig Monero miner in an effort to exfiltrate cryptocurrency from IoT devices running on Intel x64 architectures as part of a campaign that began in January, BleepingComputer reports. FortiGuard Labs researchers discovered that the updated RapperBot botnet has employed various means to evade detection, including the integration and obfuscation of miner code with double-layer XOR encoding, command-and-control server-based mining configuration receipt, and randomized request sizes and intervals. Further analysis revealed that aside from having the capability to conduct and terminate distributed denial-of-service attacks even though no DDoS commands have been sent to the examined samples, RapperBot also has the ability to end itself and other child processes. Since its emergence last June, RapperBot has already been updated to include DoS commands and a Telnet self-propagation mechanism, indicating the rapid evolution and feature expansion of the botnet malware.