Tag Archive for: Mirai

NoaBot: Another Mirai Botnet Strikes at Linux Devices


Akamai’s team of security experts has discovered a new cryptomining campaign, dubbed NoaBot, leveraging the SSH protocol to spread its malware.

Mirai is a self-propagating worm that can turn consumer devices running Linux on ARC processors into remotely controlled bots. For over seven years now, it’s been used to launch Distributed Denial of Service (DDoS) attacks and, of course, to spread cryptominer malware. That’s where the money is, after all.

Now, Akamai security researchers have discovered a new Mirai variation, NoaBot, that deploys a modified version of the XMRig cryptominer.

What makes this latest version interesting is that instead of relying on Telnet to spread its malware, it used SSH. It does this by initiating a connection, sending a simple “hi” message, and then terminating the connection. This quick scanning strategy aids in keeping a low profile.

It also comes with all the usual Mirai nastiness, such as a scanner module and an attacker module, hiding its process name, etc. NoaBot also seeks to install itself as a crontab entry so that it will run even after an infected device is rebooted. Once in place, it will also try to spread itself to other vulnerable systems.

In addition, it uses an obfuscated configuration and a custom mining pool to disguise itself from investigators. This approach effectively conceals the wallet address, complicating efforts to track the campaign’s profitability.

Interestingly, unlike Mirai, which is usually compiled with GCC, NoaBot is compiled with uClibc. This appears to change how antivirus engines detect the malware. While other Mirai variants are usually detected with a Mirai signature, NoaBot’s antivirus signatures show as an SSH scanner or a generic trojan. The malware also comes statically compiled and stripped of any symbols making reverse engineering it harder.

The P2PInfect Connection

Oddly, there seems to be a link between NoaBot and the P2PInfect worm, This is a peer-to-peer, self-replicating worm written in Rust that targets Redis servers. What’s the point of this? Good question. I wish we had a good answer.

The Akamai security researchers speculate, “The threat actors seem quite tech-savvy, so it could…

Source…

Cryptomining Campaign Unleashes Modified Mirai Botnet


Cryptocurrency Fraud
,
Endpoint Security
,
Fraud Management & Cybercrime

Latest Campaign Injects Song Lyrics and Other ‘Immature’ Elements Into Its Code

Cryptomining Campaign Unleashes Modified Mirai Botnet
A quirky Mirai botnet variant is dropping cryptomining malware. (Image: Shutterstock)

A new cryptomining campaign uses a quirkily customized Mirai botnet to spread cryptomining malware designed to hide the digital wallet that collects the ill-gotten gains.

See Also: JavaScript and Blockchain: Technologies You Can’t Ignore

Security researchers at Akamai dubbed the Mirai variation NoaBot and said that it uses a unique SSH scanner but also exhibits an unexpected touch of immaturity.

Mirai is a wormable botnet infamous for targeting Linux-based IoT devices. Numerous versions of Mirai are in the wild thanks to an anonymous coder who leaked source code online before its three original authors pleaded guilty in 2017.

Akamai researchers first spotted NoaBot in early 2023. They also identified a link between NoaBot and the P2PInfect worm, discovered in July 2023 by Unit 42.

Unlike the original Mirai, NoaBot spreads malware through secure shell protocol – not Telnet. The SSH scanner “seems to be custom made, and quite peculiar,” Akamai wrote. Once it establishes a connection, it sends a string “hi.” It makes sense to establish and quickly terminate a connection from an infected system. “Hi” is not a valid SSH packet, so Wireshark marks it as malformed.

“Why does it bother sending ‘hi,’ though? That’s a mystery,” Akamai…

Source…

Mirai Botnet Exploits Zero-Day Bugs For DDoS Attacks


InfectedSlurs, a Mirai botnet malware, has been exploiting two zero-day remote code execution (RCE) vulnerabilities. The malware targets routers and video recorders (NVR) devices, aiming to make them a part of its distributed denial of service (DDoS) swarm. Although the botnet was discovered in October 2023, it is believed that its initial activities date back to the latter half of 2022. In this blog, we’ll dive into how the botnet was discovered, how it functions, and more.

 

Mirai Botnet Detection Details


The botnet was discovered when Akamai’s Security Intelligence Response Team (SIRT) noticed malicious activity pertaining to the company’s honeypots. As of now, it is believed malicious activity was initiated to target a rarely used TCP port. The SIRT teams noticed fluctuations with regard to the frequency of the
zero-day exploits

An analysis of the zero-day vulnerabilities, published by Akamai, reads, “The activity started out with a small burst, peaking at 20 attempts per day, and then thinned out to an average of two to three per day, with some days completely devoid of attempts.” It’s worth mentioning that vulnerable devices that fell prey to the botnet were unknown until November 9, 2023. 

Initially the probes were low-frequency and attempted authentication using a POST request. Upon acquiring the access, the botnet attempted a command injection exploitation. Researchers have also determined that the botnet used default admin credentials for installing Mirai variants. 

Upon further observation, it was identified that the wireless LAN routers, built for hotels and residential purposes, were also being targeted by the Mirai botnet. Commenting on the RCE flaw being exploited for unauthorized access, Akamai stated: “The SIRT did a quick check for CVEs known to impact this vendor’s NVR devices and was surprised to find that we were looking at a new zero-day exploit being actively leveraged in the wild.” 


InfectedSlurs, JenX, and hailBot


The InfectedSlurs botnet is suspected to be
knitted with other cybersecurity threats such as  JenX and hailBot. The botnet gets its name from the use of racial and offensive language in the command-and-control (C2)…

Source…

InfectedSlurs Botnet Resurrects Mirai With Zero-Days


The Akamai Security Incident Response Team (SIRT) has detected increased activity targeting a rarely used TCP port across its global honeypots. 

The investigation conducted in late October 2023 revealed a specific HTTP exploit path, identifying two zero-day exploits being actively leveraged in the wild. 

The first exploit targeted network video recorders (NVRs) used in CCTV and security camera devices, while the second affected outlet-based wireless LAN routers for hotels and residential applications.

Further analysis found that the NVR devices used default administrative credentials, commonly documented by the manufacturer. The vendor is working on a fix scheduled for release in December 2023. The router vendor is also planning a release for the affected model, withholding details until the patch is ready.

The Akamai SIRT identified the campaign as originating from a Mirai botnet activity cluster, primarily using the older JenX Mirai malware variant. Notably, the command-and-control (C2) domains displayed offensive language and racial epithets. The malware samples associated with the campaign showed similarities with the original Mirai botnet.

Read more on Mirai: New Mirai Variant Campaigns are Targeting IoT Devices

The researchers shared indicators of compromise, including Snort and YARA rules, SHA256SUMs of malware samples and C2 domains. The SIRT is collaborating with CISA/US-CERT and JPCERT to notify impacted vendors. 

Mitigation recommendations include checking and changing default credentials on Internet of Things (IoT) devices, isolating vulnerable devices and implementing DDoS security controls.

“Threats such as botnets and ransomware rely on default passwords that are often widely known and easily accessible for propagation,” reads the advisory. “The more difficult it is for a threat to move around, the less chance there is of unauthorized access and potential security breaches.”

The Akamai blog post concludes by emphasizing the importance of honeypots in cybersecurity and the need for organizations to stay informed about emerging threats. The SIRT plans to publish a follow-up blog post with additional details once vendors and CERTs complete the…

Source…