Mirai-based Noabot botnet deploys cryptominer on Linux servers
by Lucian Constantin
CSOonline.com - January 10, 2024
| Remark |
|---|
| malware |
| brute forcing SSH |
| malware campaign |
| botnet |
| cryptocurrency mining malware |
| Linux |
| Mirai |
| worm |
| P2PInfect |
| Redis |
| telemetry |
| Akamai |
| honeypot |
| IP address |
| NoaBot |
| China |
| lateral movement |
| restricting SSH access |
| weak passwords |
| dictionary attack |
| Mirai modified to target SSH |
| DDoS |
| Telnet |
| Mirai source code leaked |
| modular malware |
| persistence |
| SSH key-based authentication |
| low-hanging fruit |
| NoaBot sends “hi” command in SSH. This is used for detection. |
| firewall |
| gcc |
| uClibc |
| changing from gcc to uClib broke existing Mirai detections |
| attacker adds ssh key to .authorized_keys |
| malware downloads and installs additional malware |
| backdoor |
| crontab persistence |
| command-line flags used as a detection for NoaBot |
| xmrig |
| open-source |
| mining pool |
| security researcher |
| mining pool IP addresses as detection mechanism |
| attackers make private mining pool to avoid mining pool detection |
| cryptocurrency wallet |
| Google DNS |
| domain name |
| Rust |
| specific text, lyrics, and jokes inside P2Pinfect and NoaBot, as attribution |
| Lua |
| Redis |
| reverse engineer |
| due to quality of code, it is suspected that the authors are bored or just dipping their toes into malware dev. |
| GitHub repository |
| YARA |