New Linux Malware Blends Mirai-Based DDoS Botnet with Fileless Cryptomining for Stealthy Attacks
Security researchers have identified a sophisticated Linux malware campaign that integrates Mirai-derived Distributed Denial-of-Service (DDoS) botnet capabilities with a stealthy, fileless cryptominer. This hybrid threat, named V3G4 by Cyble Research Intelligence Labs, signifies a notable advancement in attacks targeting Internet of Things (IoT) devices and cloud infrastructures.
Multi-Stage Infection Chain
The V3G4 malware employs a multi-stage infection process designed to compromise Linux servers and IoT devices across various architectures, including x86_64, ARM64, ARM7, ARM5, MIPS, and MIPSEL. This approach ensures broad compatibility and maximizes the malware’s reach.
The attack initiates with a compact shell script known as the Universal Bot Downloader. This script determines the victim system’s CPU architecture using the `uname -m` command. Based on the detected architecture, it constructs a tailored download URL to fetch the appropriate bot binary from an attacker-controlled server. The payload is then written to the `/tmp` directory, assigned executable permissions via `chmod`, and executed immediately. This method mirrors traditional IoT botnet deployment strategies that prioritize rapid infection and broad compatibility.
Stealth and Persistence Mechanisms
Once executed, the UPX-packed and stripped binary gathers system information through environment reconnaissance, checking kernel details and process limits to determine operational parameters. The malware prints a signature banner xXxSlicexXxxVEGA to stdout, aligning with behavioral patterns of V3G4-Mirai strains previously observed in cloud infections.
To evade detection, the bot attempts to masquerade as the legitimate `systemd-logind` daemon using `prctl` system calls. It closes standard I/O streams and detaches from the controlling terminal using `setsid`, effectively eliminating visible process tracking and avoiding suspicion.
Command-and-Control Infrastructure
The malware establishes a sophisticated command-and-control (C2) infrastructure that combines raw TCP socket scanning with DNS-based resilience. Multiple worker threads perform high-velocity SYN packet spraying on port 22 across the internet, enabling rapid SSH brute-force propagation to new victims.
Concurrently, the bot conducts multi-threaded DNS queries against Google’s public DNS server (8.8.8.8) to resolve the C2 domain `baojunwakuang.asia`, which maps to `159.75.47.123`. This domain serves both botnet commands and miner configuration through non-standard ports like 60194, enhancing stealth.
Fileless Cryptomining Component
The third-stage payload deploys a covert XMRig-based Monero miner, exemplifying the campaign’s focus on detection evasion. Instead of embedding static configuration files, the malware fetches mining parameters dynamically from the C2 server at runtime. The loader disguises the miner as `/tmp/.dbus-daemon` to blend with legitimate processes and requests configuration data via TCP, receiving a JSON blob containing wallet addresses, pool URLs, and algorithm settings without creating on-disk artifacts.
Implications and Recommendations
This hybrid approach enables threat actors to maximize financial returns by leveraging infected devices for dual purposes simultaneously: conducting DDoS attacks and mining cryptocurrency. The combination of these functionalities within a single malware strain underscores the evolving complexity of cyber threats targeting Linux-based systems.
Organizations are advised to implement robust security measures, including regular system updates, strong authentication mechanisms, and network monitoring, to detect and mitigate such sophisticated threats. Additionally, employing intrusion detection systems (IDS) and endpoint detection and response (EDR) solutions can help identify and respond to anomalous activities indicative of malware infections.
