Embedded Linux-based Internet of Things (IoT) devices have become the target of a new botnet dubbed PumaBot.
Written in Go, the botnet is designed to conduct brute-force attacks against SSH instances to expand in size and scale and deliver additional malware to the infected hosts.
“Rather than scanning the internet, the malware retrieves a list of targets from a command-and-control (C2) server and attempts to brute force SSH credentials,” Darktrace said in an analysis shared with The Hacker News. “Upon gaining access, it receives remote commands and establishes persistence using system service files.”
The botnet malware is designed to obtain initial access via successfully brute-forcing SSH credentials across a list of harvested IP addresses with open SSH ports. The list of IP addresses to target is retrieved from an external server (“ssh.ddos-cc[.]org”).
As part of its brute-force attempts, the malware also performs various checks to determine if the system is suitable and is not a honeypot. Furthermore, it checks the presence of the string “Pumatronix,” a manufacturer of surveillance and traffic camera systems, indicating either an attempt to specifically single them out or exclude them.
The malware then proceeds to collect and exfiltrate basic system information to the C2 server, after which it sets up persistence and executes commands received from the server.
“The malware writes itself to /lib/redis, attempting to disguise itself as a legitimate Redis system file,” Darktrace said. “It then creates a persistent systemd service in /etc/systemd/system, named either redis.service or mysqI.service (note the spelling of mysql with a capital I) depending on what has been hardcoded into the malware.”
In doing so, it allows the malware to give the impression that it’s benign and also survive reboots. Two of the commands executed by the botnet are “xmrig” and “networkxm,” indicating that the compromised devices are being used to mine cryptocurrency in an illicit manner.
“I believe the end goal is to deploy a cryptominer, given the reference to XMRig, however since C2 was down at the time of analysis, it can’t be determined what commands were being sent or received,” Tara Gould, threat research lead at Darktrace, told The Hacker News. “It is possible another payload, or cryptominer was being sent from the C2.”
However, the commands are launched without specifying the full paths, an aspect that signals that the payloads are likely downloaded or unpacked elsewhere on the infected host. Darktrace said its analysis of the campaign uncovered other related binaries that are said to be deployed as part of a broader campaign –
- ddaemon, a Go-based backdoor which is retrieve the binary “networkxm” into “/usr/src/bao/networkxm” and execute the shell script “installx.sh”
- networkxm, an SSH brute-force tool that functions similar to the botnet’s initial stage by fetching a password list from a C2 server and attempts to connect via SSH across a list of target IP addresses
- installx.sh, which is used to retrieve another shell script “jc.sh” from “1.lusyn[.]xyz,” grant it read, write, and execute permissions for all access levels, run the script, and clear bash history
- jc.sh, which is configured to download a malicious “pam_unix.so” file from an external server and use it to replace the legitimate counterpart installed on the machine, as well as retrieve and run another binary named “1” from the same server
- pam_unix.so, which acts as a rootkit that steals credentials by intercepting successful logins and writing them to the file “/usr/bin/con.txt”
- 1, which is used to monitor for the file “con.txt” being written or moved to “/usr/bin/” and then exfiltrate its contents to the same server
Given that the SSH brute-force capabilities of the botnet malware lends it worm-like capabilities, users are required to keep an eye out for anomalous SSH login activity, particularly failed login attempts, audit systemd services regularly, review authorized_keys files for the presence of unknown SSH keys, apply strict firewall rules to limit exposure, and filter HTTP requests with non-standard headers, such as X-API-KEY: jieruidashabi.
“The botnet represents a persistent Go-based SSH threat that leverages automation, credential brute-forcing, and native Linux tools to gain and maintain control over compromised systems,” Darktrace said.
“By mimicking legitimate binaries (e.g., Redis), abusing systemd for persistence, and embedding fingerprinting logic to avoid detection in honeypots or restricted environments, it demonstrates an intent to evade defenses.”
