Home > News > NoaBot Botnet: Linux Servers Under Siege! 🚨💻

NoaBot Botnet: Linux Servers Under Siege! 🚨💻

: noabot botnet: linux servers under siege! 🚨💻

Mirai-Based NoaBot Botnet Deploys Cryptominer on Linux Servers

A new botnet has emerged that targets weakly defended servers by brute-forcing SSH logins and deploying cryptomining malware on Linux servers. The botnet's main client is based on the old Mirai worm, whose source code has been available for years. However, researchers have also observed the same group using the more modern P2PInfect worm that exploits Redis instances. The botnet, known as NoaBot, has been slowly growing over the past year, with its beginnings dating back to January 2023, according to telemetry data from Akamai's honeypots.

Akamai researchers have recorded over 800 unique IP addresses from around the world that showed signs of NoaBot infections, with 10% of them based in China. The botnet's method of lateral movement is via plain old SSH credentials dictionary attacks, and restricting arbitrary internet SSH access to a network greatly reduces the risks of infection. Using strong passwords, instead of default or randomly generated ones, also makes a network more secure, as the malware uses a basic list of guessable passwords.

Key Takeaways

  • NoaBot is a new botnet that targets weakly defended servers by brute-forcing SSH logins and deploying cryptomining malware on Linux servers.
  • The botnet's main client is based on the old Mirai worm, but researchers have also observed the same group using the more modern P2PInfect worm that exploits Redis instances.
  • The botnet has been slowly growing over the past year, with its beginnings dating back to January 2023, according to telemetry data from Akamai's honeypots.

Mirai scanner modified to target SSH

The NoaBot botnet is a modified version of the Mirai-based botnet that primarily focuses on infecting Linux servers by brute-forcing SSH logins. The NoaBot botnet is spread over SSH protocol using a custom Mirai botnet that was modified by the threat actors. It deploys a cryptominer on Linux servers, which is used to mine cryptocurrency.

The creators of NoaBot replaced the Telnet scanner with an SSH scanner, which is a more effective way of targeting Linux servers. The SSH scanner sends predefined pairs of usernames and passwords to SSH servers to gain access. However, the botnet's persistence mechanism can ensure that it starts after reboot, even if password-based authentication is disabled.

The NoaBot SSH scanner has a clear signature because when an SSH connection is accepted by an IP address, the botnet client sends the message “hi.” This message is not a valid SSH command and has no practical reason to be sent, so it can be used to create a firewall signature.

The NoaBot botnet has a crontab entry that ensures it starts after reboot. The command line flag for this persistence mechanism is called “noa,” inspiring the name of the botnet. However, the researchers found detection signatures in antivirus engines for the prefix “noa-” which suggests it could be common.

NoaBot is a self-propagating botnet that uses lateral movement to infect other machines on the network. The botnet targets weakly defended servers by brute-forcing SSH logins. However, the NoaBot infection can be prevented by following best security practices like using SSH key-based authentication and disabling password authentication.

The NoaBot botnet is a significant threat to Linux servers, and it is essential to take steps to protect against it. This includes hardening SSH servers by using strong passwords, trusted sets of IP addresses, and disabling password authentication. Additionally, it is crucial to regularly scan for vulnerabilities and keep software up-to-date to prevent attacks from botnets like NoaBot.

mirai-based noabot botnet deploys cryptominer on linux servers" is crafted, highlighting the defense mechanisms against the botnet attack. it showcases linux servers being effectively protected by cybersecurity measures, with visuals that convey a sense of resilience and victory over the malicious threat. the design uses a color scheme that symbolizes security and stability, contrasting the darkness of the botnet challenge.
Mirai-Based Noabot Botnet Deploys Cryptominer On Linux Servers&Quot; Is Crafted, Highlighting The Defense Mechanisms Against The Botnet Attack. It Showcases Linux Servers Being Effectively Protected By Cybersecurity Measures, With Visuals That Convey A Sense Of Resilience And Victory Over The Malicious Threat. The Design Uses A Color Scheme That Symbolizes Security And Stability, Contrasting The Darkness Of The Botnet Challenge. : Noabot Botnet: Linux Servers Under Siege! 🚨💻

Cryptominer modifications and P2PInfect connection

The NoaBot botnet uses a modified version of the open-source cryptocurrency mining program XMRig to generate cryptocurrency. The attackers have made advanced modifications to the XMRig code, including hiding and encrypting its configuration, particularly the IP address of the mining pool. The researchers at Akamai believe that the threat actors run their own private pool instead of a public one, which eliminates the need to specify a wallet. However, the miner's domains were not resolving with Google's DNS, so the researchers can't prove their theory or gather more data from the pool, since the domains they have are no longer resolvable.

The researchers have also discovered that the same authors are using a custom version of P2PInfect, a self-replicating worm that appeared in July and is written in Rust. P2PInfect exploits a Lua vulnerability to compromise instances of Redis, an in-memory storage system. Some variants of P2PInfect also include an SSH scanner. The NoaBot creators have used specific text and inside jokes in their code that are also present in P2PInfect samples. It is not clear why the attackers switched from Mirai to P2PInfect, which is an even more custom creation, or whether they are using both in parallel.

The threat actors behind NoaBot seem to be quite tech-savvy, and it could be that they are trying their hand at malware development out of curiosity or boredom. Custom code is more difficult to reverse engineer than repurposed code because it is modified. Given that P2PInfect targets Redis servers, it could be a case of different tools for different purposes.

The Akamai team has published a list of indicators of compromise on its GitHub repository along with YARA detection signatures that can be used to find NoaBot binaries. However, restricting SSH access to only trusted sets of IP addresses and using key-based authentication are also highly recommended and are part of standard SSH hardening.

Frequently Asked Questions

What are the capabilities of the Mirai-based NoaBot when it deploys a cryptominer on Linux servers?

The Mirai-based NoaBot botnet is capable of brute-forcing SSH logins to gain access to weakly defended servers. Once it has access, the botnet deploys a cryptominer on the Linux server to mine cryptocurrencies. The botnet uses a custom Mirai variant to spread the malware over the SSH protocol.

How can system administrators protect their Linux servers against botnet cryptominer deployments?

System administrators can protect their Linux servers against botnet cryptominer deployments by implementing strong password policies and using two-factor authentication. Additionally, they can monitor their servers for any suspicious activity and regularly update their server software and operating systems to patch vulnerabilities.

What are the signs of a Mirai-based botnet infection on a server?

Signs of a Mirai-based botnet infection on a server include slow system performance, increased CPU usage, and unusual network traffic. Additionally, system administrators may notice unfamiliar processes running on their servers and unauthorized access attempts.

What steps should be taken upon discovering a cryptominer deployed by a Mirai-based botnet?

Upon discovering a cryptominer deployed by a Mirai-based botnet, system administrators should immediately disconnect the infected server from the network to prevent the malware from spreading. They should then isolate the server and scan it for any other malware or backdoors that may have been installed. Once the server has been cleaned, system administrators should implement stronger security measures to prevent future attacks.

How does the NoaBot variant differ from the original Mirai botnet in terms of functionality?

The NoaBot variant of the Mirai botnet differs from the original in that it is specifically designed to deploy cryptominers on Linux servers. It uses a custom Mirai variant to spread the malware and brute-force SSH logins to gain access to servers. Additionally, NoaBot has been observed to use a more sophisticated command and control infrastructure than the original Mirai botnet.

What recent developments have been observed in the evolution of Mirai-based botnets targeting Linux servers?

Recent developments in the evolution of Mirai-based botnets targeting Linux servers include the use of more sophisticated command and control infrastructure, the deployment of multiple malware payloads, and the use of more advanced obfuscation techniques to evade detection. Additionally, researchers have observed an increase in the number of botnets targeting Linux servers, indicating a growing trend in this type of cyber attack.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.