PumaBot, a new Go-based IoT botnet, brute-forces SSH to deploy cryptominers & credential stealers. Learn how it evades detection, persists via systemd, and how to protect Linux devices from this high-risk threat.
A dangerous new Go-written botnet named PumaBot is actively targeting Linux-based IoT devices, exploiting weak SSH credentials to spread malware, deploy cryptojacking payloads, and steal sensitive data.
Security researchers at Darktrace uncovered this threat, noting its worm-like propagation, persistence mechanisms, and evasion tactics—making it a critical concern for enterprises and IoT manufacturers.
How PumaBot Works: SSH Brute-Force Attacks & Malware Delivery
PumaBot’s infection chain follows a multi-stage process:
Target Acquisition – Instead of random scanning, it fetches a pre-selected IP list from its C2 server (
ssh.ddos-cc[.]org).SSH Brute-Forcing – Uses credential stuffing against open SSH ports.
Honeypot Detection – Checks for security traps (e.g., avoids systems with "Pumatronix" strings).
Persistence & Payload Execution –
Masquerades as Redis or MySQL (
mysqI.servicewith a capital "I").Deploys cryptominers (XMRig, networkxm) and credential stealers (pam_unix.so).
Exfiltrates stolen data via
/usr/bin/con.txt.
Key Malware Components
| Component | Function |
|---|---|
| ddaemon | Go-based backdoor fetching networkxm. |
| networkxm | SSH brute-force tool (similar to botnet’s initial stage). |
| installx.sh | Downloads & executes jc.sh from 1.lusyn[.]xyz. |
| jc.sh | Replaces legitimate pam_unix.so with a malicious rootkit. |
| pam_unix.so | Logs successful logins to /usr/bin/con.txt. |
| "1" binary | Monitors and exfiltrates stolen credentials. |
Why PumaBot is a High-Risk Threat
Self-Propagating Worm Capabilities – Can spread rapidly across vulnerable networks.
Evasion Tactics – Mimics legitimate services (
redis.service) to avoid detection.
Dual Monetization – Combines cryptojacking and credential theft for profit.
Systemd Abuse – Ensures survival after reboots.
How to Protect Your Systems
✅ Monitor SSH Logs – Detect failed login attempts.
✅ Audit authorized_keys – Remove unknown SSH keys.
✅ Harden Firewalls – Restrict SSH exposure & filter HTTP requests with unusual headers (X-API-KEY: jieruidashabi).
✅ Inspect Systemd Services – Check for rogue entries like redis.service or mysqI.service.
✅ Update Credentials – Enforce strong SSH passwords & key-based authentication.
"PumaBot represents a persistent, automated SSH threat that abuses Linux-native tools to maintain control over infected systems." — Darktrace
FAQs
Q: Is PumaBot targeting only IoT devices?
A: Primarily, but any Linux system with weak SSH security is at risk.
Q: Does it infect Windows or macOS?
A: No—it’s designed for Linux-based embedded systems.
Q: How can I detect PumaBot infections?
A: Look for:
Unusual
redisormysqlservices.CPU spikes (indicating cryptomining).
Unknown files in
/usr/src/bao/or/lib/redis/.
Nenhum comentário:
Postar um comentário