Full Report
A newly discovered Go-based Linux botnet malware named PumaBot is brute-forcing SSH credentials on embedded IoT devices to deploy malicious payloads. [...]
Analysis Summary
# Tool/Technique: PumaBot
## Overview
PumaBot is a newly identified botnet malware that primarily breaches devices by brute-forcing SSH credentials. Its ultimate goal appears to be targeted infiltration for potential data exfiltration or lateral movement, rather than traditional low-grade botnet activities like DoS attacks.
## Technical Details
- Type: Malware family (Botnet)
- Platform: Linux/Unix systems (Infected devices appear to be IoT/Routers based on context)
- Capabilities: SSH brute-forcing, persistence installation, credential harvesting (local/remote SSH logins), potential data exfiltration.
- First Seen: Unknown (Described as "New" in the context provided)
## MITRE ATT&CK Mapping
Since the primary initial access method described is brute-forcing passwords for remote services, the following mappings are applicable:
- **TA0001 - Initial Access**
- T1110 - Brute Force
- T1110.003 - Brute Force: Network Service
- **TA0003 - Persistence**
- T1543 - Create or Modify System Process
- T1543.003 - Create or Modify System Process: systemd service
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Implied by binary naming/placement)
- **TA0009 - Collection**
- T1005 - Data from Local System
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **SSH Brute-Forcing:** Attempts to gain access to devices that have open SSH ports (defaulting to port 22).
- **Target Verification:** Upon successful login, runs `uname -a` to confirm the device is a legitimate target and not a honeypot.
- **Persistence Installation:** Writes its main binary (`jierui`) to `/lib/redis` and sets up a `systemd` service named `redis.service` to ensure persistence across reboots.
- **Secondary Access Maintenance:** Injects its own SSH keys into the `authorized_keys` file to maintain access even if primary malware components are removed.
### Advanced Features
- **Credential Harvesting:** Deploys a PAM (Pluggable Authentication Modules) rootkit that replaces `pam_unix.so`. This module harvests both local and remote SSH login credentials, storing them in `con.txt`.
- **Automated Exfiltration:** A separate binary named "watcher" monitors for the `con.txt` file and automatically exfiltrates the harvested credentials to the C2 server.
- **Targeted Attacks:** The malware appears to be used for targeted infiltration, potentially linked to surveillance/traffic camera systems (indicated by the check for the string "Pumatronix").
- **Self-Updating/Payload Delivery:** Can receive commands to download self-updating scripts or introduce new payloads, like the PAM rootkit.
## Indicators of Compromise
- File Hashes: N/A (Not provided in the context)
- File Names:
- Main binary: `jierui` (dropped in `/lib/redis`)
- Service file: `redis.service` (for systemd)
- Credential file: `con.txt`
- Watcher binary: `1`
- Registry Keys: N/A (File system based persistence on Linux)
- Network Indicators: C2 servers/domains are not specified in the summary provided, only that exfiltration occurs to the C2.
- Behavioral Indicators:
- Execution of `uname -a` post-login.
- Creation/modification of systemd service file (`redis.service`).
- Modification of SSH `authorized_keys` file.
- Installation of a malicious PAM module replacing `pam_unix.so`.
- Frequent creation and immediate wiping of the `con.txt` file followed by suspicious outbound network traffic.
## Associated Threat Actors
- Not explicitly named, but associated with the "PumaBot" botnet.
## Detection Methods
- Signature-based detection: Detecting the files (`jierui`, `1`, `con.txt`) or the service file (`redis.service`).
- Behavioral detection: Monitoring for new processes running under unusual paths (`/lib/redis`), successful brute-force attempts against SSH, modification of PAM modules (`pam_unix.so`), and activity surrounding SSH key injection.
- YARA rules: Likely effective against the known binary names/strings, such as checking for the "Pumatronix" string presence.
## Mitigation Strategies
- **Upgrade IoTs:** Update IoT devices to the latest available firmware.
- **Change Defaults:** Change all default SSH credentials immediately.
- **Network Segmentation:** Place IoT devices behind firewalls and isolate them from valuable internal systems (Network Segmentation).
- **Authentication Hardening:** Implement stronger authentication, such as key-based SSH authentication, and disable password-based login where possible.
- **Monitor PAM:** Monitor for unauthorized modifications to Pluggable Authentication Modules.
## Related Tools/Techniques
- Other botnets that utilize SSH brute-forcing for initial access (e.g., Mozi, Mirai variants).
- Malware that uses PAM rootkits to steal credentials.