A new botnet has been slowly growing over the past year by brute-forcing SSH logins and deploying cryptomining malware on Linux servers. The main bot client is based on the old Mirai worm whose source code has been available for years, but researchers have also seen the same group use the more modern P2PInfect worm that exploits Redis instances.
Based on telemetry data from Akamai’s honeypots, the botnet’s beginnings go back to January 2023, but the botnet has grown since then peaking in size last month. Akamai has recorded over 800 unique IP addresses from around the world that showed signs of NoaBot infections with 10% of them based in China.
“The malwareâs method of lateral movement is via plain old SSH credentials dictionary attacks,” the Akamai researchers said in a new report. “Restricting arbitrary internet SSH access to your network greatly diminishes the risks of infection. In addition, using strong (not default or randomly generated) passwords also makes your network more secure, as the malware uses a basic list of guessable passwords.”
Mirai scanner modified to target SSH
Mirai was originally a self-propagating DDoS botnet that appeared in 2016 and was primarily designed to infect embedded networking devices by using vulnerability exploits and Telnet dictionary attacks. The botnet gained notoriety for causing some of the largest DDoS attacks observed on the internet until it was abandoned and its source code was leaked online.
The Mirai codebase, which contains a scanning module for propagation, an attack module, and persistence code that is used to hide the botnet’s processes, has served as inspiration for many other Linux self-propagating botnets in recent years, some focused on DDoS, others on cryptomining, and some on both.
The creators of NoaBot took the Mirai source code but made significant modifications. First, they replaced the Telnet scanner with an SSH scanner. This makes sense because embedded devices that still use the very old Telnet protocol for command line debugging and management are not a good target for cryptomining due to their limited computing resources. However, Linux servers are a good target and are much more likely to have SSH enabled.
However, SSH dictionary attacks — where the attacker will test predefined pairs of usernames and passwords — are nothing new and are also easy to defend against by following best security practices like using SSH key-based authentication and disabling password authentication. This means that the servers compromised by NoaBot are likely low-hanging fruit from a security perspective and it wouldn’t be surprising if they’re already infected with other malware.
The NoaBot SSH scanner does have a clear signature because when a SSH connection is accepted by an IP address the botnet client sends the message “hi.” This is not a valid SSH command and there is no practical reason to send it, so it can be used to create a firewall signature.
Other modifications made to NoaBot involve changing the compiler from GCC to uClib to make its binary code significantly different from Mirai and therefore evade existing Mirai detection signatures, and adding command line arguments that enable different functionalities. For example, the bot can add an attacker-controlled key in the SSH authorized keys to ensure persistence even if password-based authentication is disabled, it acts as a backdoor by downloading and installing additional binaries and adds a crontab entry to ensure it starts after reboot.
The command line flag for this persistence mechanism is called “noa”, inspiring the name of the botnet. However, the researchers found detection signatures in antivirus engines for the prefix “noa-” which suggests it could be common.
Cryptominer modifications and P2PInfect connection
The cryptomining component is XMRig, an open-source and widely used cryptocurrency mining program that has legitimate uses but is also popular with attackers. According to the Akamai researchers, the NoaBot creators made advanced modifications to the XMRig code as well to hide and encrypt its configuration, particularly the IP address that serves as the mining pool where attackers collect the generated cryptocurrency.
“We believe that the threat actors chose to run their own private pool instead of a public one, thereby eliminating the need to specify a wallet (their pool, their rules!),” the researchers said. “However, in our samples, we observed that minerâs domains were not resolving with Googleâs DNS, so we canât really prove our theory or gather more data from the pool, since the domains we have are no longer resolvable. We havenât seen any recent incident that drops the miner, so it could also be that the threat actors decided to depart for greener pastures.”
The researchers are fairly certain that the same authors are also using a custom version of P2PInfect, another self-replicating worm that appeared in July and is written in Rust. Some P2PInfect samples contained very specific text and inside jokes that the NoaBot creators also used in their code, such as lyrics from game-related pop songs.
P2PInfect exploits a Lua vulnerability to compromise instances of Redis, an in-memory storage system. However, some variants also include a SSH scanner. It’s not clear why this group of attackers switched from Mirai to P2PInfect, which is an even more custom creation, or whether they are using both in parallel.
“First, custom code is more difficult to reverse engineer than repurposed code because it is modified,” the researchers said. “Second, the threat actors seem quite tech-savvy, so it could be that theyâre trying their hand at malware development out of curiosity or boredom (or both). Finally, given that P2PInfect targets Redis servers, it could simply be a case of different tools for different purposes.”
The Akamai team has published a list of indicators of compromise on its GitHub repository along with YARA detection signatures that can be used to find NoaBot binaries. Of course, restricting SSH access to only trusted sets of IP addresses and using key-based authentication are also highly recommended and are part of standard SSH hardening.