TNS
VOXPOP
Favorite Social Media Timesink
When you take a break from work, where are you going?
Instagram/Facebook
0%
Discord/Slack
0%
LinkedIn
0%
Video clips on TikTok/YouTube
0%
X, Bluesky, Mastodon et al...
0%
Web surfing
0%
I do not get distracted by petty amusements
0%
Linux / Security

NoaBot: Another Mirai Botnet Strikes at Linux Devices

Akamai's team of security experts has discovered a new cryptomining campaign, dubbed NoaBot, leveraging the SSH protocol to spread its malware.
Jan 11th, 2024 1:49pm by
Featued image for: NoaBot: Another Mirai Botnet Strikes at Linux Devices
Image by Brian McGowan on Unsplash.

Akamai’s team of security experts has discovered a new cryptomining campaign, dubbed NoaBot, leveraging the SSH protocol to spread its malware.

Mirai is a self-propagating worm that can turn consumer devices running Linux on ARC processors into remotely controlled bots. For over seven years now, it’s been used to launch Distributed Denial of Service (DDoS) attacks and, of course, to spread cryptominer malware. That’s where the money is, after all.

Now, Akamai security researchers have discovered a new Mirai variation, NoaBot, that deploys a modified version of the XMRig cryptominer.

What makes this latest version interesting is that instead of relying on Telnet to spread its malware, it used SSH. It does this by initiating a connection, sending a simple “hi” message, and then terminating the connection. This quick scanning strategy aids in keeping a low profile.

It also comes with all the usual Mirai nastiness, such as a scanner module and an attacker module, hiding its process name, etc. NoaBot also seeks to install itself as a crontab entry so that it will run even after an infected device is rebooted. Once in place, it will also try to spread itself to other vulnerable systems.

In addition, it uses an obfuscated configuration and a custom mining pool to disguise itself from investigators. This approach effectively conceals the wallet address, complicating efforts to track the campaign’s profitability.

Interestingly, unlike Mirai, which is usually compiled with GCC, NoaBot is compiled with uClibc. This appears to change how antivirus engines detect the malware. While other Mirai variants are usually detected with a Mirai signature, NoaBot’s antivirus signatures show as an SSH scanner or a generic trojan. The malware also comes statically compiled and stripped of any symbols making reverse engineering it harder.

The P2PInfect Connection

Oddly, there seems to be a link between NoaBot and the P2PInfect worm, This is a peer-to-peer, self-replicating worm written in Rust that targets Redis servers. What’s the point of this? Good question. I wish we had a good answer.

The Akamai security researchers speculate, “The threat actors seem quite tech-savvy, so it could be that they’re trying their hand at malware development out of curiosity or boredom (or both). Finally, given that P2PInfect targets Redis servers, it could simply be a case of different tools for different purposes.”

Despite the technical sophistication in NoaBot’s code and operational security, the naming conventions and some included strings in the malware binaries display some immaturity. I mean, NunzombiE, “fast_vuln_file,” and “slow_vuln_fille?” Really? This blend of high-level technical skill and juvenile execution potentially offers clues for future identification and tracking of related malware activities.

NoaBot, while seemingly another Mirai variant and XMRig cryptominer, stands out due to the significant obfuscations and enhancements made to the source code. The campaign reflects the evolving landscape of cyber threats, where traditional methods are being adapted and advanced by threat actors, underscoring the need for continuous vigilance and adaptation in cybersecurity defenses.

Akamai has released various open source tools, including indicators of compromise, queries, signatures and scripts, to aid in detecting and defending against NoaBot infections. The malware typically operates from a randomly generated folder.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.