Security experts recently announced the discovery of NoaBot, a variant of the Mirai net bot that continues to silently exploit Linux devices.
According to Ars Technica, researchers from Akamai announced a Mirai- based network they named NoaBot that has been targeting Linux devices since at least January of last year. This is a customized version of Mirai, malware that infects Linux-based servers, routers, IP cameras, and Internet of Things devices.
Mirai was caught in 2016 carrying out record-setting distributed denial of service attacks, crippling most important internet services. The malware’s creators soon released the source code, a move that allowed many criminal groups around the world to incorporate Mirai into their attack campaigns. Once it captures the device, Mirai uses it as a platform to infect other devices, designing it to become a worm.
Mirai and its variants spread when infected devices scour the internet for devices that accept Telnet connections. The malware then cracks Telnet passwords by guessing default and commonly used credential pairs. When successful, newly infected devices will target other devices with similar techniques. Mirai is mainly used to perform DDoS and having such a large collection of devices gives this botnet great power.
Instead of targeting weak Telnet passwords, NoaBot targets passwords for SSH connections. Instead of performing a denial of service attack, the new botnet installs a cryptocurrency mining program, helping hackers harvest digital currency by using the victim’s computer, electricity, and bandwidth resources. The cryptocurrency miner is a modified version of XMRig, another open-source malware.
Akamai has been monitoring NoaBot for the past year from a honeypot that mimics Linux devices to monitor various attacks taking place on the internet. The attacks originated from 849 separate IP addresses, most of which were capable of hosting an infected device.
The researcher at Akamai said that on the surface, NoaBot is not a complex campaign, it is just a variant of Mirai and an XMRig cryptocurrency miner. However, the obfuscation added to the malware and additions to the source code paint a completely different picture of the threat actors’ capabilities.
The most advanced capability is how NoaBot installs the XMRig variant. Normally, when installing a cryptocurrency miner, the wallet’s coins will be distributed as specified in the configuration settings sent in the command line to the infected device. This practice has long posed a risk to threat actors because it allows researchers to track where wallets are stored and how much money goes to hackers.
NoaBot uses a new technique for containment, this botnet stores settings in encrypted or obfuscated form and decrypts them only after XMRig is loaded into memory. The botnet then replaces the internal variable – which typically holds command-line configuration settings – and passes control to the XMRig source code.
