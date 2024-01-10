A new botnet has been slowly growing over the past year by brute-forcing SSH logins and deploying cryptomining malware on Linux servers. The main bot client is based on the old Mirai worm whose source code has been available for years, but researchers have also seen the same group use the more modern P2PInfect worm that exploits Redis instances.

Based on telemetry data from Akamai’s honeypots, the botnet’s beginnings go back to January 2023, but the botnet has grown since then peaking in size last month. Akamai has recorded over 800 unique IP addresses from around the world that showed signs of NoaBot infections with 10% of them based in China.

“The malware’s method of lateral movement is via plain old SSH credentials dictionary attacks,” the Akamai researchers said in a new report. “Restricting arbitrary internet SSH access to your network greatly diminishes the risks of infection. In addition, using strong (not default or randomly generated) passwords also makes your network more secure, as the malware uses a basic list of guessable passwords.”

Mirai scanner modified to target SSH

Mirai was originally a self-propagating DDoS botnet that appeared in 2016 and was primarily designed to infect embedded networking devices by using vulnerability exploits and Telnet dictionary attacks. The botnet gained notoriety for causing some of the largest DDoS attacks observed on the internet until it was abandoned and its source code was leaked online.

The Mirai codebase, which contains a scanning module for propagation, an attack module, and persistence code that is used to hide the botnet’s processes, has served as inspiration for many other Linux self-propagating botnets in recent years, some focused on DDoS, others on cryptomining, and some on both.

The creators of NoaBot took the Mirai source code but made significant modifications. First, they replaced the Telnet scanner with an SSH scanner. This makes sense because embedded devices that still use the very old Telnet protocol for command line debugging and management are not a good target for cryptomining due to their limited computing resources. However, Linux servers are a good target and are much more likely to have SSH enabled.