Keywords
Malware
A botnet targeting IoT devices running the Linux operating system attacks by brute-forcing device credentials and downloading cryptocurrency mining software.
Researchers at Darktrace have named this botnet “PumaBot” because its malware checks for the string “Pumatronix,” a Brazilian manufacturer of surveillance and traffic cameras, suggesting it may target such IoT devices or attempt to evade detection by specific devices. The botnet also fingerprints the environment to avoid honeypots or restricted shell environments.
Unlike typical botnets, PumaBot does not actively scan the internet for target devices; instead, it connects to a command and control (C2) server to obtain a list of device IPs that may have open SSH ports. Darktrace found that the C2 domain ssh.ddos-cc.org did not resolve to a valid internet address during analysis.
The primary malicious use of this botnet is to hijack infected devices for cryptocurrency mining, exhausting the device’s computational and energy resources by running mining programs. Analysts speculate that PumaBot may be part of a larger operation aimed at establishing long-term covert control points within smart city or industrial monitoring networks.
PumaBot primarily focuses on covert infiltration and long-term control, achieving persistence by creating custom systemd service units. It also adds its SSH key to the trusted authorized_keys file, allowing it to maintain control even if the malicious systemd service file is deleted.
The malware is installed in a hidden directory /lib/redis, disguising itself as system services named redis.service and mysqI.service.
PumaBot communicates with the C2 server using custom HTTP headers, which include an unusual X-API-KEY field with the value “jieruidashabi.” It uploads the device’s system fingerprint information, including architecture, kernel version, and user credentials, helping attackers map the distribution of infected devices in real-time and deploy customized payloads as needed.
Darktrace also discovered other malicious binaries related to PumaBot, including a persistent backdoor named ddaemon and a component named networkxm, responsible for SSH brute-forcing and self-updating via MD5 checks.
Another key component is the installx.sh script, which modifies the Pluggable Authentication Module (PAM) authentication stack in Linux, implanting a malicious pam_unix.so module to steal local and remote login credentials.
To facilitate data exfiltration, a file monitoring program named “1” monitors stolen credentials stored in a hidden file con.txt and sends this data (including SSH credentials, system IP addresses, and port scan results) to a remote server.
Researchers noted: “Although this botnet does not propagate automatically like traditional worms, it exhibits worm-like characteristics through its brute-forcing behavior, indicating that it is a semi-automated botnet activity focused on device intrusion and long-term control.
END
Recommended Reading
【Security Circle】Global Internet Experiences Massive Routing Disturbance Due to BGP Protocol Vulnerability
【Security Circle】Beware! New Type of “Click Repair” Scam on TikTok, Hackers Use AI Videos to Spread Stealthy Trojans
【Security Circle】Adidas Customers’ Personal Information at Risk After Data Breach
【Security Circle】Mac Users Under Attack: Fake Accounting Apps Steal Crypto Secrets via Malware
Security Circle
← Scan to follow us
Gathering Hot Topics in the Circle, Focusing on Cybersecurity
Get Real-time News at Your Fingertips!
If you find it interesting, share it; if it’s useful, give it a thumbs up
Support “Security Circle” by clicking three times!