Full Report
Embedded Linux-based Internet of Things (IoT) devices have become the target of a new botnet dubbed PumaBot. Written in Go, the botnet is designed to conduct brute-force attacks against SSH instances to expand in size and scale and deliver additional malware to the infected hosts. "Rather than scanning the internet, the malware retrieves a list of targets from a command-and-control (C2) server
Analysis Summary
# Tool/Technique: PumaBot Botnet
## Overview
PumaBot is a newly identified botnet primarily targeting embedded Linux-based Internet of Things (IoT) devices. Written in Go, its main objectives are to expand its network by brute-forcing SSH credentials, gain initial access, establish persistence, and subsequently conduct cryptocurrency mining operations.
## Technical Details
- Type: Malware family (Botnet)
- Platform: Embedded Linux IoT devices
- Capabilities: SSH brute-forcing, C2 communication, persistence establishment, potential deployment of cryptomining payloads (xmrig, networkxm).
- First Seen: May 2025 (based on article date)
## MITRE ATT&CK Mapping
*Note: Mappings utilize inferred actions based on description.*
- [TA0011 - Command and Control]
- [T1071 - Application Layer Protocol]
- [TA0001 - Initial Access]
- [T1110 - Brute Force]
- T1110.001 - Password Guessing: SSH
- [TA0003 - Persistence]
- [T1543 - Create or Modify System Process]
- T1543.003 - Systemd Service
## Functionality
### Core Capabilities
- **Initial Access:** Retrieves a list of target IP addresses with open SSH ports from a C2 server (`ssh.ddos-cc[.]org`) and executes brute-force attacks against SSH credentials.
- **System Check:** Performs checks to validate if a system is a potential target or a honeypot. It specifically looks for the string "Pumatronix," potentially to target or exclude surveillance/traffic camera systems.
- **Information Exfiltration:** Collects and exfiltrates basic system information to the C2 server.
- **Persistence:** Establishes persistence by writing itself to `/lib/redis` (disguised as a Redis file) and creating a `systemd` service file named `redis.service` or `mysqI.service` (note the capitalization in `mysqI`).
### Advanced Features
- **Payload Execution:** Executes commands received from the C2 server. Explicitly mentioned commands are `xmrig` and `networkxm`, signaling cryptomining activities.
- **Associated Tool Deployment:** Deploys several related binaries as part of a broader campaign:
- **`ddaemon`**: A Go-based backdoor used to retrieve and execute `networkxm` and `installx.sh`.
- **`networkxm`**: An SSH brute-force tool, potentially for secondary expansion or relaying.
- **`installx.sh`**: A shell script used to fetch `jc.sh`, set permissions, execute it, and clear the bash history.
- **`jc.sh`**: Downloads and replaces the legitimate PAM authentication module (`pam_unix.so`) with a malicious version, likely for unauthorized access or credential theft continuation.
## Indicators of Compromise
- File Hashes: [Not specified in the text]
- File Names: `ddaemon`, `networkxm`, `installx.sh`, `jc.sh`, malicious `pam_unix.so`
- Registry Keys: [Not applicable to Linux system service files]
- Network Indicators:
- C2 for target list: `ssh.ddos-cc[.]org` (defanged)
- C2 for further scripts: `1.lusyn[.]xyz` (defanged)
- Behavioral Indicators:
- Writing files to `/lib/redis`.
- Creation of systemd services named `redis.service` or `mysqI.service` in `/etc/systemd/system`.
- Execution of commands like `xmrig` or `networkxm` without full path specification, indicating a modified environment PATH or unpacked payloads.
- Modification/replacement of `/lib/pam_unix.so`.
## Associated Threat Actors
- [Not explicitly named, operates as a botnet operator] - Associated with Darktrace analysis.
## Detection Methods
- Signature-based detection: Signatures for the specific file names and C2 domains mentioned.
- Behavioral detection: Monitoring for unauthorized systemd service creation (especially with suspicious names like `mysqI.service`). Detecting the execution of cryptomining tools (`xmrig`) on IoT devices. Monitoring for attempts to overwrite critical system files like `/lib/pam_unix.so`.
- YARA rules: [Not available in the text]
## Mitigation Strategies
- Prevention measures: Implement robust password policies requiring complex SSH credentials. Disable password-based SSH login in favor of key-based authentication where possible.
- Hardening recommendations: Limit external exposure of SSH ports (e.g., restrict access via firewall rules). Regularly audit `systemd` configurations for unauthorized service files. Implement integrity monitoring for critical files such as `/lib/pam_unix.so`.
## Related Tools/Techniques
- Primary mechanism is similar to other IoT botnets utilizing SSH brute-forcing (e.g., Mirai variants).
- The use of SSH brute-forcing aligns with T1110.001.
- The file replacement mechanism involving PAM modules is a sophisticated technique often seen in more advanced malware aiming for stealthier authentication bypass or persistence.