In my research of Mirai botnet variants, one name has come up more than any other, Rondo. From some quick searching, it seems to have recently been exploding in activity. This is the result of using many exploits to get onto IOT systems. In the past 2 months I have found 32 different CVEs being used to deploy Rondo bots. TrendMicro has a good analysis of the exploits they are using.

Serving the malware

Unlike some other campaigns, RondoDox is using a slightly more complex mechanism for serving the malware. Often I'll see these bots being downloaded from an Apache sever that is using the default configuration. RondoDox's has put some more effort into into their delivery system. Each downloader script is given a unique name that follows the format "rondo.{3 letters}.sh". While including the name of the botnet in the script doesn't seem wise, I am guessing that the reason they are using the same script with many different names, is to throw off automated alerts that are looking at network traffic. If the script "rondo.abc.sh" is found and added to block lists, they can switch to "rondo.xyz.sh". 

Additional the server will only return the script if the request has a user agent from wget (eg: wget/1.21.5). All of their exploits use wget to get the downloader script. If the user agent is from a web browser, a page will be returned with an email address and a rap music video playing in the background.

I'll add that the user agent used in the request that was attempting the exploit, references an email address "bang2012@protonmail.com". Proton mail and Atomic mail are both free, privacy focused, email providers.