New PumaBot Botnet Targets Embedded Linux IoT Devices
Overview of PumaBot
A new botnet named PumaBot is specifically targeting embedded Linux-based Internet of Things (IoT) devices, posing serious risks to their security. Developed in Go, this botnet employs brute-force techniques to compromise SSH instances, expanding its network by deploying additional malware to affected devices.
How PumaBot Operates
Unlike many botnets that scan the internet for vulnerabilities, PumaBot retrieves a list of targets directly from a command-and-control (C2) server. According to a recent analysis by Darktrace, the malware attempts to brute-force SSH credentials rather than relying solely on scanning. Once it gains access to a device, PumaBot allows remote command execution and establishes persistence through system service files.
PumaBot is designed to exploit vulnerabilities in devices with open SSH ports. It specifically targets a curated list of IP addresses sourced from an external server, identified as "ssh.ddos-cc[.]org."
Targeting Traps and Persistence
During its brute-force attacks, PumaBot performs checks to ensure that the target system is not a honeypot. Notably, it looks for the manufacturer Pumatronix, which specializes in surveillance and traffic camera technology. This indicates either a targeted approach or an effort to exclude specific systems from the attack.
Once the malware successfully infiltrates a device, it gathers basic system information and sends it back to the C2 server. To secure its foothold, PumaBot disguises itself as a legitimate Redis system file, placing itself in /lib/redis. It then creates a persistent systemd service (named either redis.service or mysqI.service) within /etc/systemd/system. This setup enables the malware to operate undetected and to survive system reboots.
Cryptocurrency Mining Activities
The botnet’s operations include running commands such as xmrig and networkxm, which strongly suggest that compromised devices are being leveraged for unauthorized cryptocurrency mining. Darktrace’s threat research lead Tara Gould noted that while the botnet’s C2 server was not active during their analysis, the existing references implied a connection to cryptomining activities.
Related Malicious Tools
Darktrace’s examination unveiled various related binaries associated with PumaBot:
- ddaemon: A Go-based backdoor that retrieves and executes the networkxm binary.
- networkxm: This tool mirrors the initial approach of the botnet by acquiring a password list from a C2 server and attempting SSH connections to multiple target IPs.
- installx.sh: A script that fetches another shell script jc.sh, granting it extensive permissions and running it while clearing the shell history.
- jc.sh: This malicious script downloads a file named pam_unix.so meant to replace a legitimate system file and runs another binary named 1 sourced from the same server.
- pam_unix.so: Functions as a rootkit, capturing user credentials from successful logins and storing them in /usr/bin/con.txt.
- 1: Monitors the con.txt file for updates and sends its contents to the C2 server.
Recommendations for Users
Given the sophisticated nature of PumaBot and its capabilities, users must remain vigilant about unusual SSH login activities. Monitoring failed login attempts and conducting routine audits of system services can help detect potential threats. It’s also advised to review authorized_keys files for any unexpected SSH keys. Critical security measures include implementing stringent firewall rules and filtering suspicious HTTP requests containing unusual headers, such as X-API-KEY: jieruidashabi.
Darktrace has emphasized that PumaBot is a persistent Go-based SSH threat that exploits automation, brute-forcing techniques, and built-in Linux functionalities to gain and maintain control over infected systems. By emulating legitimate binaries and employing fingerprinting strategies to avoid detection in restricted environments, PumaBot showcases a clear intent to evade security measures.
