In the ever-evolving world of cybersecurity threats, a new menace has emerged targeting Linux servers. The NoaBot, a botnet based on the infamous Mirai malware, has been repurposed to exploit weak SSH credentials and install cryptomining software. This advanced threat has already impacted thousands of systems worldwide, with a significant concentration of infected IP addresses in China.
The Rise of NoaBot
The NoaBot campaign, active since early 2023, represents a shift in the use of Mirai, which initially focused on Distributed Denial of Service (DDoS) attacks. Researchers from Akamai have been diligently monitoring this new threat, which employs a more stealthy approach to gain control of servers and leverage their computing power to mine cryptocurrency. Unlike its predecessor that exploited Telnet vulnerabilities, NoaBot uses a brute force SSH scanner to infiltrate servers.
Stiv Kupchik, a security researcher at Akamai, noted, “The malware’s method of lateral movement is via plain old SSH credentials dictionary attacks.” He further emphasized the importance of strong passwords and limited SSH access to enhance network security.
NoaBot’s technical sophistication lies in its ability to obfuscate and encrypt its configuration, making it challenging for researchers to analyze and track. The malware avoids using command line configurations, which are commonly used indicators of compromise (IOCs). Instead, it uses encrypted configurations that are decrypted only when loaded into memory. This level of obfuscation indicates a higher degree of technical capability among the threat actors.
The botnet deploys a modified version of XMRig, a popular open-source cryptominer, to mine Monero (XMR) cryptocurrency. The mining pool and wallet address details are hidden within the malware’s encrypted configuration, suggesting that the attackers may be operating their own private mining pool.
Global Impact and Prevention
With over 849 victim IP addresses identified, the spread of NoaBot has raised alarms across the cybersecurity community. The spreader module of NoaBot uses an SSH scanner to brute-force servers, adding an SSH public key for remote access, as reported by The Hacker News. NoaBot’s compilation with uClibc affects how antivirus engines detect it, often misidentifying it as a generic trojan or an SSH scanner.
To mitigate the risks posed by NoaBot, Akamai recommends restricting SSH access and using strong passwords. Additionally, they suggest creating firewall signatures to detect the presence of NoaBot’s signature “hi” message used by its SSH scanner. Akamai has published indicators of compromise and YARA detection signatures on GitHub to aid in the detection and prevention of NoaBot infections.
P2PInfect: NoaBot’s Companion Threat
Interestingly, the same group behind NoaBot is believed to be using a custom version of P2PInfect, a worm that exploits Redis instances and includes an SSH scanner. This worm targets Internet of Things (IoT) devices and has been discussed in-depth by CSO Online and Palo Alto Networks.
The Broader Context
The emergence of NoaBot is a stark reminder of the persistent threat landscape in cyberspace. As hacker groups continue to evolve their tactics, the importance of robust cybersecurity measures cannot be overstated. The case of NoaBot highlights the need for ongoing vigilance and adaptability in the face of sophisticated cyber threats.
In the world of Linux devices, the appearance of NoaBot is a significant development. With a lineage tracing back to the Mirai botnet, which made headlines in 2016 for its massive DDoS attacks, NoaBot represents the latest chapter in the story of malware evolution. As Linux servers continue to be a critical part of the internet’s infrastructure, protecting them from threats like NoaBot is paramount for maintaining the security and integrity of online systems.
“On the surface, NoaBot isn’t a very sophisticated campaign—it’s ‘just’ a Mirai variant and an XMRig cryptominer, and they’re a dime a dozen nowadays. However, the obfuscations added to the malware and the additions to the original source code paint a vastly different picture of the threat actors’ capabilities,” said Akamai Senior Security Researcher Stiv Kupchik in an Ars Technica article.
As the cybersecurity community continues to grapple with the rise of NoaBot, the collaboration between researchers and law enforcement agencies remains crucial in thwarting the efforts of cybercriminals. The arrest of a senior member of the hacker group OPERA1ER by Interpol, as reported by CSO Online, is a testament to the effectiveness of such collaborations. The fight against cybercrime is ongoing, and every victory, such as the apprehension of a significant cybercriminal, bolsters the security of the digital world.