NoaBot: Latest Mirai-Based Botnet Targeting SSH Servers for Crypto Mining

Security researchers at Akamai have uncovered a new crypto-mining campaign that has been active since the beginning of 2023. These attacks include the use of a new Mirai-based botnet dubbed ‘NoaBot’ which comes with various capabilities including a wormable self-spreader and an SSH key backdoor designed to download and execute additional binaries and spread itself to other systems. A notable aspect of NoaBot is that it is compiled in uClibc, which seems to change how antivirus engines detect the malware. The malware is also statically compiled and stripped of any symbols making reverse engineer challenging.

“Newer samples of the botnet also had their string obfuscated instead of saved as plaintext. This made it harder to extract details from the binary or navigate parts of the disassembly but the encoding itself was unsophisticated and simple to reverse engineer,” stated researchers in their new blog post.

Security Officer Comments:
The crypto miner employed in the latest set of attacks is a modified version of XMRig. Researchers note this miner is capable of obfuscating its configuration and uses a custom mining pool to prevent exposing the wallet addresses employed by the miner. To date, Akamai has identified 849 victim IP addresses residing in several countries across the globe, with the highest concentrations pinpointed in China.

Suggested Corrections:
NaoBot’s spreader module uses an SSH scanner to locate vulnerable servers susceptible to dictionary attacks, which in turn are targeted via brute-forcing. To prevent being a potential victim, organizations should restrict internet SSH access to their networks and employ the use of strong passwords. Akamai has provided a list of passwords used by NaoBot in its brute-force attacks which are available in the GitHub repository below: