A noticeable difference between NoaBot and Mirai is that rather than DDoS attacks, the botnet targets weak passwords connecting SSH connections to install cryptocurrency mining software.
Cybersecurity researchers at Akamai have discovered cryptomining malware called NoaBot based on the notorious Mirai botnet. The crytojacking malware NoaBot is currently targeting Linux servers and has been active since January 2023.
According to Akamai, a noticeable difference between NoaBot and Mirai is that rather than DDoS attacks (Distributed Denial of Service attacks), the malware targets weak passwords connecting SSH connections and installs cryptocurrency mining software, allowing attackers to generate digital coins using victims’ computing resources, electricity, and bandwidth.
Here, it is important to mention that NoaBot malware has also been used to deliver P2PInfect, a separate worm discovered by Palo Alto Networks in July 2023.
NoaBot is compiled using the UClibc code library, unlike the standard Mirai library. This changes how the antivirus protections detect NoaBot, categorizing it as an SSH scanner or generic trojan. The malware is statically compiled and stripped of symbols, while strings are obfuscated instead of saved as plaintext, making it harder for reverse engineers to extract details.
The NoaBot binary runs from a randomly generated folder, making searching devices harder. The standard Mirai dictionary is replaced with a large one, and a custom-made SSH scanner is used. Post-breach capabilities include installing a new SSH-authorized key.
This botnet has grown significantly, with over 800 unique IP addresses worldwide showing signs of NoaBot infections. The worm is a customized version of Mirai, a malware that infects Linux-based servers, routers, web cameras, and other Internet of Things devices.
Interestingly, the malware includes embedded song lyrics from the “Who’s Ready for Tomorrow” song by Rat Boy and IBDY, but later samples do not have these. The botnet also adds command line arguments, such as the “noa” flag, which installs a persistence method after a reboot.
Threat actors modified the XMRig miner to extract the mining configuration before execution. The miner’s functions involve function calls and signals. The configuration contains the mining pool and wallet address details. However, IDA misses the binary name and pool IP placeholder, allowing attackers to estimate the profitability of the cryptomining gig.
Researchers noted that the attackers were running their private pool instead of a public one, eliminating the need for a wallet. However, domains are no longer resolvable with Google’s DNS, and no recent incidents involving the dropping of the miner are noticed, suggesting the threat actors may have halted the campaign for better opportunities.
Hackread has been following incidents involving Mirai since it was discovered in 2016. Mirai is a self-replicating malware targeting Linux-based IoT devices, used to infect other vulnerable devices.
In 2016, it was used in a massive DDoS attack against Dyn DNS, paralyzing the internet. The creators released the source code, allowing crime groups to incorporate it into their attacks. Mirai scans the internet for Telnet connections via infected devices to crack Telnet passwords, then targets additional devices using the same technique.
Akamai urges Linux server administrators to protect their systems from NoaBot by keeping software updated, using strong passwords, enabling two-factor authentication, and monitoring unauthorized activity. This is crucial as NoaBot can launch DDoS, data breaches, and cryptojacking attacks.
RELATED ARTICLES
- Hackers behind Mirai botnet & DYN DDoS attacks plead guilty
- Hackers behind Mirai botnet to avoid jail for working with the FBI
- Tiny Mantis Botnet Can Launch Powerful DDoS Attacks Than Mirai
- Reaper malware outshines Mirai; hits millions of IoT devices worldwide
- Mirai Variant ‘OMG’ Turns IoT Devices into Proxy Servers for Cryptomining