A new Mirai-based botnet called Noah Robot Threat actors have been using it as part of cryptocurrency mining campaigns since early 2023.
Akamai security researcher Stiv Kupchik said in a report shared with The Hacker News: “The capabilities of the new botnet NoaBot include a wormable self-propagating program and an SSH key backdoor that is used to download and execute other binaries or convert itself. spread to new victims.”
Mirai, whose source code was leaked in 2016, is the ancestor of many botnets, the most recent of which is InfectedSlurs, which is capable of launching distributed denial-of-service (DDoS) attacks.
There are indications that NoaBot may be related to another botnet campaign involving the Rust-based malware family P2PInfect, which recently received an update targeting routers and IoT devices.
This is based on the fact that threat actors also attempted to use P2PInfect as a replacement for NoaBot in recent attacks against SSH servers, suggesting a possible move toward custom malware.
Although NaoBot has a Mirai base, its extender module utilizes an SSH scanner to search for servers vulnerable to dictionary attacks in order to brute force them, and adds SSH public keys in the .ssh/authorized_keys file for remote storage. Pick. Alternatively, it could also download and execute additional binaries or spread itself to new victims after a successful exploit.
“NoaBot is compiled with uClibc, which seems to change the way antivirus engines detect malware,” Kupchik noted. “While other Mirai variants are typically detected via Mirai signatures, NoaBot’s antivirus signature is an SSH scanner or a general-purpose Trojan.”
In addition to employing obfuscation tactics to make analysis challenging, the attack chain ultimately led to the deployment of a modified version of the XMRig coin miner.
What makes this new variant superior to other similar Mirai botnet-based campaigns is that it does not contain any information about mining pools or wallet addresses, making it impossible to assess the profitability of illegal cryptocurrency mining schemes.
“Miners obfuscate their configurations and use custom mining pools to avoid exposing the wallet addresses used by miners,” Kupchik said, emphasizing a certain level of preparedness on the part of threat actors.
Akamai said it has identified 849 victim IP addresses so far, which are distributed around the world, with China reporting a high concentration, accounting for almost 10% of all attacks against its honeypots in 2023.
“The malware’s method of lateral movement is through a plain old SSH credential dictionary attack,” Kupchik said. “Restricting any network SSH access to your network can greatly reduce the risk of infection. In addition, using strong passwords (not default or randomly generated) passwords can also make your network more secure because malware can be used to guess A basic list of passwords.”
