From Ripples to Waves: The Swift Evolution of the “Boat” Botnet

From Ripples to Waves: The Swift Evolution of the “Boat” Botnet

agosto 18, 2023 | NSFOCUS

The botnet family “Boat” was first discovered by NSFOCUS Security Labs in June 2022. Its name comes from the fact that malicious samples in its early versions propagate with the file name “boat”. At the same time, since some malicious samples in later versions of this family retain symbolic information and there are a large number of functions named after “ripper_*”, it is also called the botnet family “Ripper”.

In August 2023, the NSFOCUS’s global threat hunting system detected that the Boat family has accelerated its version upgrades and its activity has also significantly increased. It has grown into a non-negligible threat source. After more than one-year growth, the functions of Boat family tend to be perfect and many variants have been derived. Many attempts of Boat family in enhancing concealment and its possible independent propagation modules have attracted our attention again. In this article, we will sort out the changes in the Boat family over the past year.

Evolution of Boat

1. Propagation

We analyzed the newly captured attacker assets and found that the controllers of the Boat family had a large number of propagation scripts with different names.

“Arsenals” of Boat controller

The naming of those scripts in the Boat family seems to reveal information about potential attack targets, such as “android” and “ruckus”. Commonly used script names are as follows:


It is worth noting that the attacker has a large number of propagation scripts named “exploit.*”, and we presumed that the attacker has tried to spread malware by exploiting vulnerabilities, but there is no built-in vulnerability exploitation module in Trojans. The known propagation methods of this family are mainly weak password brute force. All clues seem to imply that the controller of Boat also has an independent propagation module.

In fact, in recent years we have detected an increasingly obvious trend that the botnet Trojan separates the propagation module from the Trojan body. Independent propagation modules not only improve the controllability of propagation but also help hide attacker resources and prevent important information such as 0-day vulnerabilities from being intercepted.

2. Scanning

In the early version of Boat family, C&C will issue weak password pairs during online interaction. The later version has revised the overall design and directly used weak password pairs in scanning modules, which is more reasonable than the original version.

Weak password issued by the Boat controller

Generally, the botnet controller is accustomed to embedding weak password pairs in malicious samples or storing them in special cipherbooks. This method of directly issuing weak passwords through C&C communication traffic is rare.

Boat scanning module

3. Communication Protocol

The Boat family has been experimenting with different ways of communicating over the last year. The most common version is based on TCP protocol, followed by versions communicating with the C&C server with UDP protocol.

Boat communication module

The Boat family has also attempted to communicate using a tor proxy, but this was abandoned in subsequent releases.

Attempt of Boat communication based on Tor

In recent years, botnet operators have been making various attempts to enhance the camouflage of botnet communication. Either choose a more invisible tor proxy for communication or design complex interaction logic. To some extent, the attacker is more willing to devote more resources than the defender, which deserves our attention.

4. Versions

There are many variants of the Boat family, showing that multiple versions are active at the same time. The more active versions are as follows:

Rev.Capture timeChange
V1Boat May to June 2022The sample is propagated in the name of “boat + architecture name”, and the weak password pairs issued appear in online interaction traffic.
V1Boat_jKira Mid of July 2022Apply a weak password to the scanning module. The sample name is jKira+ architecture name, and the function named “ripper_*” begins to appear.
V1Boat_tor Mid of  October 2022Attempt to communicate via Tor proxy
V2  Boat_Ripper-v1 Captured April 2023 Increased activity in AugustModify the online package, and run the output “Komorebi” string
V2 Boat_Ripper-v2 Captured April 2023 Increased activity in AugustUDP communication, DDoS attack instructions and functions are added.
V2 Boat_Ripper-3 June-July 2023Obfuscate the instruction receiving module code; online parameters are sample startup parameters; enable local socks5 proxy and DNS resolution service; sample name is loki+ architecture name.
V3  End of July 2023The DDoS attack module has changed greatly, running the output “[botpkt] Committing Suicid”.

Version change of Boat family

Up to now, the malicious samples of this family cover almost all common IoT architectures, including:


We have noticed that the source code of Mirai family is into each version of Boat family to varying degrees. Attackers will use some codes of known families when building new botnet families, which not only facilitates code reuse, but also deceives antivirus engines in this way and reduces the probability of being filtered out for manual analysis. This approach is less noticeable than constructing an entirely new family without any detection history.


In the past year, Boat family controllers have attached great importance to the invisibility of Trojans. They deliberately added signature codes of botnet families such as Mirai to deceive antivirus software engines and reduce the probability of manual analysis. In addition, it has also tried to achieve better concealment through Tor and Socks. Boat controllers are also likely to have separate propagation modules that protect their resources from disclosure. The versions of the Boat family change very fast, multiple versions spread at the same time, with a wide range of activities and high originality. There are professional attack gangs behind it. NSFOCUS security researchers will continue to keep a close eye on Boat family and their controllers.