Attacks on these devices come from every corner of the planet.
Security company Akamai says in a new report that over the past year, previously unknown self-healing malware has compromised Linux devices around the world, installing cryptocurrency mining programs on them that hide their work in unusual ways.
The worm is a modified version of the Mirai botnet, a malware that infects servers, routers, webcams, and other Linux-based Internet of Things (IoT) devices. Mirai first appeared in 2016 and was used to conduct large-scale DDoS attacks. Unlike Mirai, which targeted DDoS attacks, the new worm, dubbed NoaBot, installs cryptominers that allow attackers to use the resources of infected devices to mine cryptocurrency.
According to Akamai experts, NoaBot demonstrates extraordinary opportunities to conceal its actions. The malware uses non-standard libraries and encryption methods to make it difficult to detect and analyze malware.
Here are the features of the new worm:
Despite its simplicity, NoaBot demonstrates sophisticated methods of hiding its activities and making analysis difficult. Akamai tracked the worm's activity for a year and recorded attacks from 849 different IP addresses around the world, almost all devices are most likely already infected.
Geography of NoaBot attack
The company has published detailed indicators of compromise (IOC), which can be used to check devices for infection. It is not yet clear how widely the worm has spread, but its non-standard methods of operation are of concern to researchers.
Akamai notes that restricting random SSH access to the network significantly reduces the risk of infection. In addition, the use of strong (non-standard or randomly generated) passwords also increases security, since malware uses a basic list of guessed passwords. Experts have placed in the GitHub repository the sets of credentials used by NoaBot.
At first glance, NoaBot is not a very complex campaign. This is a variant of Mirai and the XMRig cryptominer-there is now a large number of similar malware. However, obfuscation methods and source code additions paint a completely different picture of the capabilities of attackers.
Security company Akamai says in a new report that over the past year, previously unknown self-healing malware has compromised Linux devices around the world, installing cryptocurrency mining programs on them that hide their work in unusual ways.
The worm is a modified version of the Mirai botnet, a malware that infects servers, routers, webcams, and other Linux-based Internet of Things (IoT) devices. Mirai first appeared in 2016 and was used to conduct large-scale DDoS attacks. Unlike Mirai, which targeted DDoS attacks, the new worm, dubbed NoaBot, installs cryptominers that allow attackers to use the resources of infected devices to mine cryptocurrency.
According to Akamai experts, NoaBot demonstrates extraordinary opportunities to conceal its actions. The malware uses non-standard libraries and encryption methods to make it difficult to detect and analyze malware.
Here are the features of the new worm:
- Unlike the standard Mirai, which attacks devices via Telnet, the new worm exploits vulnerabilities in SSH connections.;
- For distribution, NoaBot uses weak SSH passwords, not Telnet, like Mirai;
- Instead of conducting DDoS attacks, the worm installs a modified version of the XMRig cryptocurrency miner;
- The configuration for connecting the miner to the pool is stored in encrypted form and decrypted immediately before launching XMRig, which makes it difficult to track the wallet addresses of attackers.;
- Most likely, the worm uses a private pool for mining.
- NoaBot masks its activity by using non-standard libraries and string obfuscation, which makes it difficult for antivirus programs to detect and analyze the code.
Despite its simplicity, NoaBot demonstrates sophisticated methods of hiding its activities and making analysis difficult. Akamai tracked the worm's activity for a year and recorded attacks from 849 different IP addresses around the world, almost all devices are most likely already infected.
Geography of NoaBot attack
The company has published detailed indicators of compromise (IOC), which can be used to check devices for infection. It is not yet clear how widely the worm has spread, but its non-standard methods of operation are of concern to researchers.
Akamai notes that restricting random SSH access to the network significantly reduces the risk of infection. In addition, the use of strong (non-standard or randomly generated) passwords also increases security, since malware uses a basic list of guessed passwords. Experts have placed in the GitHub repository the sets of credentials used by NoaBot.
At first glance, NoaBot is not a very complex campaign. This is a variant of Mirai and the XMRig cryptominer-there is now a large number of similar malware. However, obfuscation methods and source code additions paint a completely different picture of the capabilities of attackers.
