Embedded Linux-based Internet of Things (IoT) devices have become the target of a new botnet called Pumabot.
The botnet written in GO is designed to carry out brute force attacks on SSH instances to expand size and scale and provide additional malware to infected hosts.
“Malware does not scan the internet, but instead retrieves a list of targets from a command and control (C2) server and forces SSH credentials to force them to force them,” Darktrace said in an analysis shared with Hacker News. “When access is obtained, it receives a remote command and establishes persistence using the system services file.”
Botnet malware is designed to obtain initial access by successfully enhancing SSH credentials across a list of harvested IP addresses with open SSH ports. The list of IP addresses to the target is obtained from an external server (“ssh.ddos-cc[.]org “).
As part of a brute force attempt, the malware performs various checks to determine whether the system is appropriate and not a honeypot. Additionally, it shows attempts to check for the presence of the string “Pumatronix”, the manufacturer of surveillance and traffic camera systems, and to specifically single or exclude them.
The malware then collects basic system information and excludes it on the C2 server, then sets persistence and executes commands received from the server.
“Malware is trying to write itself to /lib /redis and disguise itself into a legitimate Redis system file,” says Darktrace. “Next, create a permanent SystemD service in /etc/systemd/system. This is either Redis.Service or MySqi.Service (notes the Capital I spelling) depending on what’s hardcoded in Malware.”
This will give the impression that the malware is benign and will survive the reboot. Two of the commands executed by the botnet are “xmrig” and “networkxm”, indicating that the compromised devices are being used to illegally mine cryptocurrency.
However, the command is invoked without specifying a full path. This is an aspect that indicates that the payload is likely to be downloaded or unpacked elsewhere in the infected host. Darktrace said the campaign’s analysis revealed other related binaries that are said to be deployed as part of a broader campaign.
ddaemon gets the binary “Networkxm” in “/usr/src/bao/networkxm” and the binary “Networkxm” in the shell script “installx.sh “networkxm”. Get another shell script “Jc.sh” from “1.Lusyn”[.]XYZ, “Allow all access levels to read, write, execute, script, and clear bash history JC.sh. Intercept successful logins and write them to a file “/usr/bin/con.txt” 1.
Given that the SSH brute force feature of botnet malware provides worm-like functionality, users need to review the approval_keys file to audit the auditable system on a regular basis, especially the failed attempts of rolgy. X-API-KEY: Jieruidashabi.
“Botnets represent a permanent GO-based SSH threat that leverages compromised systems with automated, credentials and native Linux tools.
“It demonstrates its intention to mimic legal binaries (e.g. Redis), abuse SystemD for persistence, and embed fingerprint logic to avoid detection in honeypots and restricted environments.”
Source link
