Mirai-based NoaBot Cryptomining Botnet Threatens Linux Servers
Over the last year, a new botnet slowly grew by brute-forcing SSH passwords and installing cryptomining malware onto Linux servers. The main client of the botnet is based on an old Mirai virus whose source code was available for many years. However, researchers have seen that the same group has also used the more recent P2PInfect malware, which exploits Redis instances.
According to security researchers, the botnet began in January 2023. However, it has grown significantly since then, reaching its peak last month. More than 800 unique IPs from around the globe that showed signs of NoaBot infection were recorded, with 10% of those being based in China.
The researchers said that the malware uses a simple SSH credential dictionary attack to move laterally. Restricting internet SSH access greatly reduces the risk of infection. The use of strong passwords (not the default or randomly generated ones) also helps to secure your network since malware is able to guess passwords from a list.
Modified Mirai Scanner Targets SSH
Mirai is a self-propagating DDoS Botnet that first appeared in 2016. It was designed to infect embedded network devices using Telnet dictionary attacks and vulnerability exploits. The botnet was known for being the source of some of the biggest DDoS attacks on the internet.
In recent years, the Mirai codebase, which includes a scanning module to propagate, an attack module, and persistence code used to hide botnet processes, has inspired many other Linux self-propagating botnets. Some focused on DDoS, while others were cryptomining.
NoaBot was developed by NoaBot creators, who took Mirai's source code and made some significant changes. They replaced the Telnet scan with an SSH scan. It makes sense because embedded devices that still use Telnet for command-line debugging and administration are not good targets for cryptomining. This is due to the limited computing power of these devices. Linux servers, on the other hand, are good targets and more likely to be SSH-enabled.
SSH dictionary attacks, where an attacker tests predefined usernames and passwords, are not new. They are easy to defend against if you follow best security practices, such as using SSH key-based authentication and disabling password authentication. The servers that were compromised by NoaBot would be considered low-hanging fruits from a security standpoint. It wouldn't surprise us if the servers had already been infected with malware.
NoaBot SSH scan has a clear signature because the botnet client will send the message "hi" when an address accepts an SSH. This isn't a valid SSH Command, and there isn't a practical reason to send this. Therefore, it can be used as a firewall signature.
NoaBot has also been modified by changing its compiler from GCC (to uClib) to significantly alter the binary code, allowing it to be detected differently than Mirai. It also added command-line arguments to enable various functionalities. The bot, for example, can include an attacker-controlled SSH key to ensure persistence, even if password authentication is disabled. It also acts as a backup by downloading and adding additional binaries, and it adds an entry in crontab to ensure that it starts up after reboot.
This persistence mechanism's command-line flag is "noa," which inspired the name of the Botnet. Researchers found signatures for "noa" in antivirus engines, which indicates that it is a common prefix.
Cryptominer Modification and P2PInfect Connection
The cryptomining component of the NoaBot is XMRig. This is an open-source, widely used cryptocurrency miner that is popular among attackers. Akamai researchers claim that the NoaBot creators modified the XMRig program code to conceal and encrypt the configuration. This included the IP address of the mining pool, where the attackers collect their cryptocurrency.
"We believe the threat actors have chosen to run their private pool rather than a public pool. This eliminates the need to specify the wallet (their pool and their rules! Researchers said. The researchers said, "In our samples, we noticed that the miner's sites were no longer resolvable with Google's DNS. We can't prove our theory or collect more data because the domains are unresolved." There haven't been any recent incidents that drop the miner. It could be that the threat actor decided to leave for "greener pastures."
Researchers are confident that the same authors also use a customized version. This self-replicating virus appeared in July, and it is written in Rust. The NoaBot code also included some P2PInfect samples that contained inside jokes and text.
P2PInfect uses a Lua flaw to compromise Redis instances, which is an in-memory system. variants may also contain an SSH scan. This group of attackers is not sure why they switched from Mirai, which was a more customized creation, to P2PInfect. Or if they're using both at the same time.
Researchers said that custom code was more difficult to reverse-engineer than repurposed codes because it has been modified. Second, since the threat actors are tech-savvy, they may try to develop malware out of boredom or curiosity. P2PInfect is a tool that targets Redis servers. It could be different tools being used for different purposes.
How Can I Secure My Servers Against This Threat?
To protect against this threat and enhance the security of your servers, SSH access should be restricted to trusted IP addresses, and key-based authentication is recommended as part of SSH hardening.
Have additional questions about securing your Linux servers? Please reach out to us on X @lnxsec- we're here to help!
Stay safe out there, fellow Linux users!