A newly found Go-based Linux botnet malware named PumaBot is brute-forcing SSH credentials on embedded IoT units to deploy malicious payloads.
The focused nature of PumaBot can also be evident by the very fact it targets particular IPs primarily based on lists pulled from a command-and-control (C2) server as an alternative of broader scanning of the web.
Focusing on surveillance cams
Darktrace documented PumaBot in a report offering an summary of the botnet’s assault stream, indicators of compromise (IoCs), and detection guidelines.
The malware receives a listing of goal IPs from its C2 (ssh.ddos-cc.org) and makes an attempt to carry out brute-force login makes an attempt on port 22 for open SSH entry.
Throughout this course of, it checks for the presence of a “Pumatronix” string, which Darktrace believes may correspond to the concentrating on of surveillance and site visitors digital camera methods by the seller.
As soon as the targets have been established, the malware receives credentials to check in opposition to them.
If profitable, it runs ‘uname -a’ to get surroundings info and confirm the focused machine will not be a honeypot.
Subsequent, it writes its essential binary (jierui) to /lib/redis and installs a systemd service (redis.service) to safe persistence throughout machine reboots.
Lastly, it injects its personal SSH into the ‘authorized_keys’ file to take care of entry, even within the case of a cleanup that removes the first an infection.
The place the an infection stays energetic, PumaBot can obtain instructions to try knowledge exfiltration, introduce new payloads, or steal knowledge helpful in lateral motion.
Instance payloads seen by Darktrace embody self-updating scripts, PAM rootkits that exchange the professional ‘pam_unix.so’, and daemons (binary file “1”).
The malicious PAM module harvests native and distant SSH login particulars and shops them in a textual content file (con.txt). The “watcher” binary (1) always seems for that textual content file after which exfiltrates it to the C2.
Supply: Darktrace
After the exfiltration, the textual content file is wiped from the contaminated host to delete any traces of the malicious exercise.
The dimensions and success of PumaBot are at the moment unknown, and Darktrace doesn’t point out how in depth the goal IP lists are.
This new botnet malware stands out for launching focused assaults that would open the best way to deeper company community infiltration as an alternative of utilizing the contaminated IoTs straight for lower-grade cybercrime, comparable to distributed denial of service (DoS) assaults or proxying networks.
To defend in opposition to botnet threats, improve IoTs to the most recent accessible firmware model, change default credentials, put them behind firewalls, and maintain them in separate networks remoted from priceless methods.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the best way to defend in opposition to them.
