NoaBot: Another Mirai Botnet Strikes at Linux Devices

/in


Akamai’s team of security experts has discovered a new cryptomining campaign, dubbed NoaBot, leveraging the SSH protocol to spread its malware.

Mirai is a self-propagating worm that can turn consumer devices running Linux on ARC processors into remotely controlled bots. For over seven years now, it’s been used to launch Distributed Denial of Service (DDoS) attacks and, of course, to spread cryptominer malware. That’s where the money is, after all.

Now, Akamai security researchers have discovered a new Mirai variation, NoaBot, that deploys a modified version of the XMRig cryptominer.

What makes this latest version interesting is that instead of relying on Telnet to spread its malware, it used SSH. It does this by initiating a connection, sending a simple “hi” message, and then terminating the connection. This quick scanning strategy aids in keeping a low profile.

It also comes with all the usual Mirai nastiness, such as a scanner module and an attacker module, hiding its process name, etc. NoaBot also seeks to install itself as a crontab entry so that it will run even after an infected device is rebooted. Once in place, it will also try to spread itself to other vulnerable systems.

In addition, it uses an obfuscated configuration and a custom mining pool to disguise itself from investigators. This approach effectively conceals the wallet address, complicating efforts to track the campaign’s profitability.

Interestingly, unlike Mirai, which is usually compiled with GCC, NoaBot is compiled with uClibc. This appears to change how antivirus engines detect the malware. While other Mirai variants are usually detected with a Mirai signature, NoaBot’s antivirus signatures show as an SSH scanner or a generic trojan. The malware also comes statically compiled and stripped of any symbols making reverse engineering it harder.

The P2PInfect Connection

Oddly, there seems to be a link between NoaBot and the P2PInfect worm, This is a peer-to-peer, self-replicating worm written in Rust that targets Redis servers. What’s the point of this? Good question. I wish we had a good answer.

The Akamai security researchers speculate, “The threat actors seem quite tech-savvy, so it could…

Source…