New PumaBot Botnet Targets Linux IoT Devices to Steal SSH Credentials and Mine Crypto

Embedded Linux-based Internet of Things (IoT) devices have become the target of a new botnet dubbed PumaBot. Written in Go, the botnet is designed to conduct brute-force attacks against SSH instances to expand in size and scale and deliver additional malware to the infected hosts. "Rather than scanning the internet, the malware retrieves a list of targets from a command-and-control (C2) server and attempts to brute force SSH credentials," Darktrace said in an analysis shared with The Hacker News. "Upon gaining access, it receives remote commands and establishes persistence using system service files." The botnet malware is designed to obtain initial access via successfully brute-forcing SSH credentials across a list of harvested IP addresses with open SSH ports. The list of IP addresses to target is retrieved from an external server ("ssh.ddos-cc[.]org"). As part of its brute-force attempts, the malware also performs various checks to determine if the system is suitable and is not a honeypot. Furthermore, it checks the presence of the string "Pumatronix," a manufacturer of surveillance and traffic camera systems, indicating either an attempt to specifically single them out or exclude them. The malware then proceeds to collect and exfiltrate basic system information to the C2 server, after which it sets up persistence and executes commands received from the server. "The malware writes itself to /lib/redis, attempting to disguise itself as a legitimate Redis system file,"…Read More