RapperBot DDoS Botnet Ventures into Cryptojacking, Poses New Cyber Threats - 1

RapperBot DDoS Botnet Ventures into Cryptojacking, Poses New Cyber Threats

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer

FortiGuard Labs, a renowned cybersecurity research team, has recently discovered fresh instances of the ongoing RapperBot campaign, which has been active since January 2023. RapperBot, a notorious malware family primarily targeting Internet of Things (IoT) devices, has been in circulation since June 2022.

Previous reports from FortiGuard Labs shed light on the campaign in August 2022 and December 2022, highlighting its focus on exploiting weak or default SSH or Telnet credentials to amplify its botnet for launching devastating Distributed Denial of Service (DDoS) attacks. However, in this latest wave of attacks, the threat actors behind RapperBot have taken a step further by delving into cryptojacking, specifically targeting Intel x64 machines.

At the outset, they implemented an independent Monero cryptominer alongside the standard RapperBot binary. Yet, towards the end of January 2023, they consolidated both functionalities into a single bot, integrating miner capabilities. This article will delve into the modifications observed in this new campaign and provide a comprehensive technical analysis of the upgraded RapperBot variant empowered with cryptojacking capabilities.

FortiGuard Labs has recently disclosed an updated variant of RapperBot, a malware strain that is now utilizing the XMRig Monero miner specifically designed for Intel x64 architectures. The cybersecurity firm has revealed that this campaign, which primarily focuses on Internet of Things (IoT) devices, has been active since January.

FortiGuard Labs has uncovered new information regarding the integration of a miner’s code within RapperBot malware, which uses double-layer XOR encoding to conceal mining pools and Monero mining addresses.

The bot retrieves mining configuration from the C2 server, with multiple pools and wallets for resilience and employs two mining proxies to add complexity to tracking. RapperBot switches to public mining pools if C2 is inaccessible and terminates competitor miners. The latest version uses two-layer encoding for C2 communication to avoid detection by network traffic monitors.

Randomized request intervals and sizes make exchanges stealthier. To protect against such malware, users should keep software up to date, disable unnecessary services, change default passwords, and use firewalls.

Seoul’s Premier Hospital Falls Victim to North Korean Hackers, Losing 830K Data - 2

Seoul’s Premier Hospital Falls Victim to North Korean Hackers, Losing 830K Data

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer

According to the Korean National Police Agency (KNPA), Seoul National University Hospital (SNUH) fell victim to a cyberattack orchestrated by North Korean hackers.

Law enforcement has been diligently investigating the case, and based on various pieces of evidence, they have attributed the attack to North Korean threat actors. Intrusion techniques, IP addresses linked to North Korea, website registration details, and linguistic patterns utilized in the attacks all contributed to the conclusion reached by authorities.

Speculations point to the Kimsuky hacking organization as the potential culprits behind the incident, according to South Korean media. However, the police report refrains from naming any specific threat actors involved. The attack on the hospital’s internal network originated from seven servers located in South Korea and other countries.

Authorities have disclosed that a staggering 831,000 individuals had their personal information compromised as a result of the incident, with the majority being patients. Among the affected individuals, approximately 17,000 are either current or former employees of various hospitals.

In a news release, the Korean National Police Agency (KNPA) issued a warning stating that North Korean hackers could potentially target critical infrastructure across multiple sectors. The importance of implementing robust security measures such as regular patching, stringent user access management, and data encryption was strongly emphasized.

The Korean National Police Agency (KNPA) has issued a warning about safeguarding South Korea’s cyber infrastructure against state-backed cyber-attacks by enhancing information sharing and collaboration with relevant authorities. North Korean hackers have been linked to previous attacks on hospital networks to steal patient information and demand ransom payments.