Latest Mirai-based botnet targets SSH servers for crypto mining

Mirai-Based Botnet

A new Mirai-based botnet called NoaBot has been used by threat actors as part of a crypto mining campaign since early 2023.

“The capabilities of the new botnet, NoaBot, include a wormable self-spreader and an SSH key backdoor to download and execute additional binaries or self-propagate to new victims,” ​​Akamai security researcher Stiv Kupchik said in a report shared with The Hacker News.

Mirai, whose source code was leaked in 2016, is the precursor to a number of botnets, the most recent of which is InfectedSlurs, capable of carrying out distributed denial-of-service (DDoS) attacks.

There are indications that NoaBot could be linked to another botnet campaign involving a Rust-based malware family known as P2PInfect, which recently received an update to target routers and IoT devices.

This is based on the fact that threat actors have also experimented with dropping P2PInfect instead of NoaBot in recent attacks on SSH servers, indicating that a switch to custom malware is likely being attempted.

Despite NaoBot’s Mirai foundations, the spreader module uses an SSH scanner to look for servers prone to dictionary attack to brute force them and add a SSH public key to the .ssh/authorized_keys file for remote access. Optionally, it can also download and execute additional binaries after successful exploitation or spread itself to new victims.

Mirai-based botnet

“NoaBot is compiled with uClibc, which appears to change the way antivirus engines detect the malware,” Kupchik noted. “While other Mirai variants are usually detected with a Mirai signature, NoaBot’s antivirus signatures are those of an SSH scanner or a generic Trojan.”

In addition to integrating obfuscation tactics to make the analysis challenging, the attack chain ultimately results in the deployment of a modified version of the XMRig coin miner.

What makes the new variant better than other similar Mirai botnet-based campaigns is that it does not contain any information about the mining pool or wallet address, making it impossible to assess the profitability of the illegal cryptocurrency mining program.

“The miner is obfuscating its configuration and also using a custom mining pool to avoid revealing the wallet address used by the miner,” Kupchik said, emphasizing a degree of preparedness from the threat actors.

Akamai said it has so far identified 849 victim IP addresses geographically distributed around the world, with high concentrations reported in China, so much so that this amounts to almost 10% of all attacks on its honeypots in 2023.

“The malware’s method of lateral movement is via plain old SSH credential dictionary attacks,” Kupchik said. “Restricting random Internet SSH access to your network significantly reduces the risks of infection. Additionally, using strong (non-default or randomly generated) passwords also makes your network more secure, because the malware has a basic list of guessable passwords.”


#Latest #Miraibased #botnet #targets #SSH #servers #crypto #mining

Notify of
Inline Feedbacks
View all comments
Previous Post
Attack Surface

Getting off the attack surface hamster wheel: Identity can help

Next Post
Zero-Day Flaws in Ivanti

Chinese hackers exploit zero-day flaws in Ivanti Connect Secure and Policy Secure

Related Posts