Akamai security researchers recently uncovered a dangerous crypto-mining campaign named NoaBot, which has been active since early 2023. This botnet, based on the infamous Mirai botnet, leverages the SSH protocol to propagate itself onto Linux-based IoT devices. Primarily used for distributed denial-of-service (DDoS) attacks, the worm associated with NoaBot has evolved over time, spawning numerous variants since the original Mirai botnet was identified back in 2016.
NoaBot: A Modified Botnet with Self-Spreading Worm and SSH Backdoor
NoaBot, a modified bot created by attackers, now includes a worm for self-propagation and an SSH key backdoor. This backdoor allows the botnet to download and execute additional malicious binary files or spread to other victims. In this attack, a specially customized version of the XMRig miner, an open-source software for cryptocurrency mining, is used. The miner disguises its configuration and utilizes a custom mining pool to prevent the discovery of the wallet address being used.
The NoaBot attack, initially detected by Akamai in early 2023, has evolved since its discovery. Security researchers have identified multiple variations of the malware, which incorporate additional obfuscation techniques and exhibit changes in command-and-control (C2) and mining pool domains. Furthermore, there have been instances where the P2PInfect worm was distributed, suggesting a potential connection between these two campaigns.
In order to protect against the NoaBot threat, the Akamai team has taken proactive measures by publishing a comprehensive list of compromise indicators and YARA detection signatures on their GitHub repository. These indicators and signatures serve as valuable tools for identifying NoaBot binary files and taking appropriate action. Additionally, security researchers strongly advise restricting SSH access to trusted IP addresses and implementing key-based authentication to ensure the highest level of security for IoT devices. By following these recommendations, users can effectively safeguard their networks against the NoaBot attack.
Overall, NoaBot poses a serious threat to IoT devices. It is crucial for IoT enthusiasts and users to take the necessary steps to protect their devices and ensure the security of their networks. The release of compromise indicators and detection signatures by the Akamai team is an important step in the right direction to contain this threat and minimize the risk of crypto-mining attacks.