Ddos 
Diagram of the infection chain | Image: BitSight
A new deep-dive analysis from BitSight has unmasked the RondoDox Botnet, a sophisticated and rapidly evolving threat that has successfully transitioned from a standard denial-of-service tool into a modular engine for cryptocurrency mining and persistent infrastructure compromise.
The research highlights a campaign marked by “active development with changes in capabilities, highlighted by the observation of hundreds of different samples in the wild”.
The RondoDox threat begins long before the final payload lands. The infection follows a calculated path: from scanning infrastructure to an initial shell script implant, and finally to the fully featured RondoDox Binary.
When a vulnerability is successfully exploited via command injection, the payload executes a shell script directly in memory without ever writing it to disk. This “initial implant can be divided into four main steps: Do basic anti-analysis, Remove other malware, Find a writable directory to drop the main binary, Fetch the correct binary for the architecture and run it”.
The shell script serves as a surgical strike team. To ensure the host is a “clean” environment for RondoDox, it performs an aggressive sweep for competing malware. It iterates through running processes, killing any executable that is running from memory or common malware drop locations like /tmp, /var, or /dev.
One clever trick identified by researchers is the script’s use of a directory called /lib to drop the binary. The script “does not kill any executables running in a path with ‘lib’ in it,” effectively exempting its own future execution from its malware-clearing routine.
The heart of the threat is the RondoDox main binary, which researchers observed supporting a staggering 18 different architectures, ranging from standard x86_64 to specialized IoT platforms like armeb and sh4.
To prevent security analysts from dissecting its code, the binary implements a complex anti-debugging defense known as nanomites. This “works by forking the current process and having the child monitor the parent process” for any sign of a debugger. If a debugger is detected, the malware immediately kills both the main process and the analysis tool.
Other defensive measures include:
- OOM-Killer Adjustment: The binary sets its “out-of-memory” killer score to -1000 to prevent the system from terminating it during high resource usage.
- Advanced Persistence: The malware extensively cleans existing crontabs and init scripts before injecting its own.
- Evolving Obfuscation: The group has moved from “simple XOR to custom obfuscation,” including a multi-step logic involving byte swaps and rotation to hide its strings from forensic tools.
The botnet features extensive Denial of Service (DoS) capabilities at the internet, transport, and application layers, with a specific focus: “DoS supported protocols have a high focus on online games”. Supported attack types include specific payloads for titles like Roblox, Fortnite, and CS:GO, as well as infrastructure like OpenVPN and Discord.
When not engaged in an attack, the botnet pivots to mining. It drops a customized XMRig miner (often named softirq) and connects to a mining proxy to generate Monero for the threat actors. Early analysis of one associated wallet showed approximately $100 in earnings, though researchers believe the actual profit is much higher given the use of proxy instances to obfuscate the scale of the operation.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
