A well-designed operation uses a version of the popular Mirai malware to secretly distribute cryptocurrency mining software, researchers said Wednesday.
By calling it NoaBot, researchers at Akamai said the campaign has been active for about a year and has various quirks that complicate malware analysis and indicate highly skilled malicious actors.
The NoaBot botnet spreads via the Linux SSH protocol, which provides secure remote access to a computer or server over a network. As part of the attack, the malware installs a modified version of the XMRig miner on infected devices.
Akamai researchers said the details got fuzzier from there. Hackers take great care to hide the wallet address to which the cryptominer sends the mined coins. And other aspects of the campaign are difficult to assess.
“The malware’s obfuscation and custom code show a high level of operational security, which generally indicates mature threat actors, but the naming of the malware’s binaries and some of its embedded strings is quite childish,” they said. Researchers. “That complicates attribution.”
For example, the malware calls a Unix socket “NunzombiE” and also includes lyrics from the pop song “Who’s Ready for Tomorrow” by Rat Boy and IBDY.
“As far as we know, those words were of no use. Later samples did not contain them,” the researchers said.
NoaBot, however, appears to have links to P2PInfect, a worm first identified in July 2023. The most recent incidents spotted by Akamai used this malware instead of the original Mirai-based code.
“How do we know these are the same threat actors, and not just some sort of collaboration?” We’re not 100% sure, but we’re close,” the researchers said. “It all comes down to the technical professionalism of the malware, coupled with a teenager’s maturity level in terms of inside jokes, including inserting profanities into the minor’s name, embedding gaming pop song lyrics into binaries malware and sending “hello” when scanning for malware. open ports.
Mirai variants proliferated after its original US-based creators published the source code in 2016. Initially used for distributed denial of service (DDoS) attacks, Mirai eventually became a tool for other malicious activities.
In fact, Akamai researchers said they might have ignored NoaBot – “yet another Mirai-based botnet” – if some of its attributes hadn’t been a little strange. It helped “that the NoaBot samples were not immediately detected as Mirai,” said Stiv Kupchik, a security researcher at Akamai.
“We usually reject Mirai samples because they are so widespread,” Kupchik said.
Akamai researchers said they hope their findings will be useful the next time the operation is launched.
“On the surface, NoaBot isn’t a very sophisticated campaign – it’s ‘just’ a Mirai variant and an XMRig cryptominer, and there are those in spades today,” the researchers said. “However, obfuscations added to the malware and additions to the original source code paint a very different picture of the threat actors’ capabilities. »
Jonathan Greig contributed to this story.
Future saved
Intelligence cloud.
No previous articles
No new articles
Joe Warminsky is the editor-in-chief of Recorded Future News. He has more than 25 years of experience as an editor and writer in the Washington, DC area. Most recently, he helped lead CyberScoop for over five years. Before that, he was a digital editor at WAMU 88.5, NPR’s Washington affiliate, and he spent more than a decade editing congressional coverage for CQ Roll Call.