New PumaBot Targets Linux IoT Surveillance Devices
A new botnet has emerged, targeting Linux-based Internet of Things (IoT) devices through a combination of SSH brute-force attacks and malware propagation. The PumaBot botnet, discovered by Darktrace researchers, uses sophisticated techniques to evade security measures and maintain persistence on compromised systems.
The Tactic Behind the Threat
PumaBot employs SSH brute-force attacks to steal credentials from Linux-based IoT devices. Instead of scanning the internet for potential targets, it relies on a list of IP addresses pulled from its Command and Control (C2) server. This approach allows the botnet to focus its efforts on a specific set of devices, increasing its chances of success.
Once inside, PumaBot runs remote commands, sets up persistence by creating system service files, and deploys cryptominers like xmrig to mine cryptocurrency. The malware also uses related binaries, such as ddaemon and networkxm, to support its campaign and enable further brute-force activity.
The Method Behind the Malware
PumaBot's core features are built using the Go programming language, allowing it to efficiently execute its malicious payload. The malware retrieves a list of IP addresses of likely devices with open SSH ports from its C2 server via a function called getIPs(). It then performs brute-force login attempts on port 22 using credential pairs obtained from the C2 through other functions.
Within trySSHLogin(), PumaBot performs several environment fingerprinting checks to avoid honeypots and restricted shells. These checks include looking for specific strings, such as "Pumatronix," a manufacturer of surveillance and traffic camera systems. This suggests that the botnet may be targeting IoT devices specifically.
The Persistence of PumaBot
Once inside a system, PumaBot collects system information, sends it to its C2 server, and hides itself as a fake Redis file with a persistent systemd service. The researchers also discovered additional related binaries, indicating that the bot is part of a larger, coordinated campaign targeting Linux systems.
The botnet's persistence is maintained through the use of native Linux tools, such as systemd, which allows it to blend in seamlessly with legitimate system activity. This makes it challenging for security measures to detect and remove the malware.
Protecting Against PumaBot
To protect against threats like PumaBot, it's essential to monitor for unusual SSH login patterns, especially many failed attempts from different IPs. Regularly auditing systemd services for suspicious entries can also help identify potential botnet activity.
Additionally, checking for unknown SSH keys in authorized_keys files and watching for outbound HTTP requests with odd headers may signal botnet activity. Finally, securing SSH access by limiting exposure of port 22 with strict firewall rules can prevent PumaBot from launching its initial brute-force attack.
Stay vigilant and stay informed about the latest security threats. Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest updates on cybersecurity news and tips.