A newly identified botnet, dubbed PumaBot, is actively targeting Linux-based Internet of Things (IoT) devices. This malware, written in the Go programming language, employs sophisticated techniques to infiltrate systems, steal SSH credentials, and illicitly mine cryptocurrency.
Infection Mechanism
PumaBot initiates its attack by retrieving a list of target IP addresses with open SSH ports from a command-and-control (C2) server. Unlike traditional botnets that scan the internet indiscriminately, PumaBot focuses on a curated list, enhancing its efficiency. It then performs brute-force attacks on these SSH instances, attempting various username and password combinations to gain unauthorized access.
Once access is obtained, the malware conducts checks to ensure the system is not a honeypot—a decoy system set up to detect cyberattacks. Notably, it searches for the string Pumatronix, associated with a manufacturer of surveillance and traffic camera systems. This behavior suggests a possible intent to either specifically target or avoid these devices.
Establishing Persistence
After confirming the system’s suitability, PumaBot collects basic system information and transmits it to the C2 server. To maintain persistence, the malware disguises itself as a legitimate Redis system file by writing itself to the /lib/redis directory. It then creates a systemd service in /etc/systemd/system, named either redis.service or mysqI.service (with a capital ‘I’ instead of ‘l’), depending on its configuration. This tactic ensures the malware remains active even after system reboots.
Malicious Activities
PumaBot’s primary functions include:
1. Cryptocurrency Mining: The malware executes commands like xmrig and networkxm, indicating its use of the compromised device’s resources for unauthorized cryptocurrency mining.
2. Credential Theft: It deploys additional binaries and scripts to enhance its capabilities:
– ddaemon: A Go-based backdoor that retrieves and executes further malicious components.
– networkxm: An SSH brute-force tool that fetches password lists from the C2 server and attempts to connect to other devices, facilitating the botnet’s expansion.
– installx.sh and jc.sh: Shell scripts that download and execute malicious files, including a compromised pam_unix.so file.
– pam_unix.so: A rootkit that intercepts successful login attempts, logging credentials to /usr/bin/con.txt.
– 1: A binary that monitors the con.txt file and exfiltrates its contents to the C2 server.
Implications and Recommendations
The emergence of PumaBot underscores the evolving threats targeting IoT devices. Its worm-like capabilities, facilitated by SSH brute-force attacks, enable rapid propagation across networks.
To mitigate the risk of infection:
– Change Default Credentials: Immediately replace default usernames and passwords with strong, unique combinations.
– Regular Firmware Updates: Keep device firmware up to date to patch known vulnerabilities.
– Network Segmentation: Isolate IoT devices from critical systems to limit potential damage.
– Monitor SSH Activity: Regularly audit SSH logs for unusual login attempts and failed authentications.
– Implement Intrusion Detection Systems (IDS): Deploy IDS to detect and respond to suspicious activities promptly.
By adopting these proactive measures, individuals and organizations can enhance their defenses against sophisticated botnets like PumaBot.
