A new botnet named PumaBot is targeting IoT devices. These are embedded Linux-based Internet of Things devices. PumaBot is written in the Go programming language. It performs brute-force attacks against SSH instances. This allows it to expand its network. It also delivers additional malware to infected hosts. The botnet retrieves its target list from a C2 server. It does not scan the internet broadly for victims. Initial access comes from successful SSH brute-forcing. It checks for “Pumatronix,” a camera maker string. This indicates specific targeting or exclusion efforts.
PumaBot attempts to disguise its malicious presence. It writes itself into the /lib/redis directory.
This makes it appear like a legitimate Redis file. Persistence is established using systemd service files. These services allow it to survive system reboots. The malware aims to look like a benign process. Observed commands include “xmrig” and “networkxm.” These commands strongly suggest illicit cryptocurrency mining. Darktrace noted the C2 server was down during analysis. Therefore, the full scope of commands is undetermined. Other malicious payloads could also be deployed.
Darktrace uncovered other related malware components.
These components suggest a much broader campaign. A Go-based backdoor called “ddaemon” was found. It retrieves other tools like “networkxm.” “networkxm” is another SSH brute-force utility. Shell scripts like “installx.sh” and “jc.sh” facilitate further infection. They download additional malicious files to the system. A compromised “pam_unix.so” file acts as a rootkit. This rootkit steals login credentials from users. Another binary exfiltrates these stolen credentials to attackers. This indicates a sophisticated multi-stage attack strategy.
The botnet’s SSH brute-force gives it worm-like abilities. Organizations should monitor for anomalous SSH login activity. Failed login attempts are a key indicator. Systemd services should be audited regularly for changes. Authorized_keys files need review for unknown entries. Strict firewall rules can help limit exposure. Darktrace describes PumaBot as a persistent Go-based threat. It leverages automation and credential brute-forcing. It also abuses native Linux tools to maintain control. The botnet shows clear intent to evade defenses. Its targeted nature could lead to deeper infiltrations.
Reference:
