Emerging Linux Malware Fuses Mirai-Based DDoS Botnet with Fileless Cryptomining
Security researchers have identified a sophisticated Linux malware campaign that integrates Mirai-derived Distributed Denial-of-Service (DDoS) botnet capabilities with a stealthy, fileless cryptominer. This hybrid threat, named V3G4 by Cyble Research Intelligence Labs, signifies a notable advancement in attacks targeting Internet of Things (IoT) devices and cloud infrastructures.
Multi-Stage Infection Process
The V3G4 malware employs a multi-stage infection chain to compromise Linux servers and IoT devices across various architectures, including x86_64, ARM64, ARM7, ARM5, MIPS, and MIPSEL. The attack initiates with a compact shell script known as the Universal Bot Downloader. This script determines the victim system’s CPU architecture using the `uname -m` command. Based on the detected architecture, it constructs a tailored download URL to fetch the appropriate bot binary from an attacker-controlled server. The payload is then written to the `/tmp` directory, assigned executable permissions via `chmod`, and executed immediately.
Stealth and Persistence Mechanisms
Once executed, the UPX-packed and stripped binary gathers system information through environment reconnaissance, checking kernel details and process limits to determine operational parameters. The malware prints a signature banner xXxSlicexXxxVEGA to stdout, aligning with behavioral patterns of V3G4-Mirai strains previously observed in cloud infections. To evade detection, the bot attempts to masquerade as the legitimate `systemd-logind` daemon using `prctl` system calls, closes standard I/O streams, and detaches from the controlling terminal using `setsid`, effectively eliminating visible process tracking.
Command-and-Control Infrastructure
The malware establishes a sophisticated command-and-control (C2) infrastructure combining raw TCP socket scanning with DNS-based resilience. Multiple worker threads simultaneously perform high-velocity SYN packet spraying on port 22 across the internet, enabling rapid SSH brute-force propagation to new victims. Concurrently, the bot performs multi-threaded DNS queries against Google’s public DNS server (8.8.8.8) to resolve the C2 domain `baojunwakuang.asia`, which maps to `159.75.47.123` and serves both botnet commands and miner configuration through non-standard ports like 60194 for enhanced stealth.
Fileless Cryptomining Component
The third-stage payload deploys a covert XMRig-based Monero miner that exemplifies the campaign’s focus on detection evasion. Rather than embedding static configuration files, the malware fetches mining parameters dynamically from the C2 server at runtime. The loader disguises the miner as `/tmp/.dbus-daemon` to blend with legitimate processes and requests configuration data via TCP, receiving a JSON blob containing wallet addresses, pool URLs, and algorithm settings without creating on-disk artifacts.
Implications and Recommendations
This hybrid approach enables threat actors to maximize financial returns by leveraging infected devices for dual purposes simultaneously, creating a resilient revenue stream that continues evolving with new techniques, attack vectors, and evasion methods. The integration of DDoS capabilities with fileless cryptomining presents a significant challenge for cybersecurity defenses, as it combines the disruptive potential of DDoS attacks with the stealth and persistence of fileless malware.
Organizations are advised to implement robust security measures, including regular system updates, strong authentication mechanisms, network segmentation, and continuous monitoring for unusual activities. Employing intrusion detection and prevention systems (IDPS) can help identify and mitigate such sophisticated threats. Additionally, educating staff about the risks associated with IoT devices and ensuring proper configuration and security practices can reduce the attack surface for such malware campaigns.
