NoaBot Botnet
Threat actors have employed a newly-emerged botnet named NoaBot, which is built upon the Mirai framework, in a crypto-mining initiative. It is believed that the operation has been ongoing since at least the start of 2023. NoaBot boasts features such as a self-spreading worm and an SSH key backdoor, enabling the download and execution of supplementary binaries or the propagation to fresh targets.
Table of Contents
Mirai’s Code is Still being Used for the Creation of New Malware
The Mirai botnet is a notorious malware strain that primarily targets Internet of Things (IoT) devices. The release of the source code enabled other malicious actors to create their own versions of the malware, leading to a proliferation of Mirai-based botnets. This widespread availability of the source code contributed to an increase in the number and scale of IoT-related attacks, posing significant challenges to cybersecurity professionals and device manufacturers. Indeed, numerous variants and spin-offs of the Mirai botnet have emerged since its discovery, each with its own modifications and enhancements. These variants often target specific vulnerabilities or focus on different types of IoT devices. Some of the infamous Mirai-based botnets include Reaper, Satori, and Okiru. One of the more recent, botnets that utilize Mirai's code is InfectedSlurs, which is capable of carrying out Distributed Denial-of-Service (DDoS) attacks.
Specific Characteristics of the NoaBot Botnet
There are indications suggesting a potential connection between NoaBot and another botnet campaign associated with a Rust-based malware family called P2PInfect. This particular malware recently underwent an update to focus on targeting routers and Internet of Things (IoT) devices. The basis for this connection lies in the observation that threat actors have experimented with substituting P2PInfect for NoaBot in recent attacks on SSH servers, hinting at potential efforts to transition to custom malware.
Despite NoaBot being rooted in Mirai, its spreader module employs an SSH scanner to identify servers vulnerable to dictionary attacks, allowing it to conduct brute-force attempts. Subsequently, the malware adds an SSH public key to the .ssh/authorized_keys file, enabling remote access. Optionally, NoaBot can download and execute additional binaries following successful exploitation or propagate itself to new victims.
Notably, NoaBot is compiled with uClibc, altering how security engines detect the malware. While other Mirai variants are typically identified using a Mirai signature, NoaBot's anti-malware signatures categorize it as an SSH scanner or a generic Trojan. In addition to employing obfuscation tactics to complicate analysis, the attack sequence ultimately culminates in the deployment of a modified version of the XMRig coin miner.
NoaBot Is Equipped With Enhanced Obfuscation Features
What sets this new variant apart from other Mirai botnet-based campaigns is its notable omission of information pertaining to the mining pool or wallet address. This absence renders it challenging to gauge the profitability of the illicit cryptocurrency mining operation.
The miner takes additional precautions by obfuscating its configuration and utilizing a customized mining pool, strategically preventing the exposure of the wallet address. This level of preparedness exhibited by the threat actors reflects a deliberate effort to enhance the stealth and resilience of their operation.
As of now, cybersecurity researchers have identified 849 victim IP addresses scattered worldwide, with significant concentrations noted in China. In fact, these incidents constitute nearly 10% of all attacks against honeypots in 2023, underscoring the global reach and impact of this particular variant.
