In a concerning development, a recently discovered Mirai-based botnet named NoaBot has emerged as a significant player in the crypto mining landscape since the start of 2023. Threat actors are deploying this sophisticated botnet, utilizing its wormable self-spreader and an SSH key backdoor to orchestrate crypto mining campaign.

Mirai, whose source code was leaked in 2016, has given rise to various botnets, with NoaBot being the latest addition to the lineage. Notably, InfectedSlurs, a previous Mirai variant, specialized in launching distributed denial-of-service (DDoS) attacks. NoaBot, however, distinguishes itself by engaging in crypto mining operations, posing a new threat vector.

There are intriguing connections suggesting that NoaBot might be associated with another botnet campaign involving a Rust-based malware family named P2PInfect. This malware family, recently updated to target routers and IoT devices, is believed to be linked to NoaBot due to observed instances of attackers replacing NoaBot with P2PInfect in attacks targeting SSH servers. This tactical shift indicates a potential strategy by threat actors to experiment with different malware types.

Despite NoaBot’s Mirai lineage, its spreader module employs an SSH scanner to identify servers susceptible to dictionary attacks. This allows the botnet to conduct brute-force attacks, adding an SSH public key in the .ssh/authorized_keys file for remote access. Additionally, NoaBot has the capability to download and execute additional binaries after successful exploitation or spread itself to new victims.

Because NoaBot is compiled with uClibc, it’s antivirus signatures appear as an SSH scanner or a generic trojan – and not Mirai virus – enhancing its ability to evade detection.

The sophistication of the attack is further compounded by the deployment of a modified version of the XMRig coin miner. Notably, this variant stands out as it lacks any information about the mining pool or the wallet address, making it challenging to assess the profitability of the illicit cryptocurrency mining scheme.

Akamai has identified 849 victim IP addresses to date, distributed globally with concentrated attacks reported in China, accounting for nearly 10% of all attacks against their honeypots in 2023. The primary method of lateral movement for NoaBot involves SSH credential dictionary attacks. To counter this, one must restrict arbitrary internet SSH access and using strong, non-default passwords to enhance network security against such threats.

In conclusion, the emergence of NoaBot underscores the evolving landscape of cyber threats, with threat actors leveraging advanced techniques to engage in crypto mining activities. Organizations are urged to remain vigilant, implement robust security measures, and stay informed about the latest developments in the cybersecurity landscape to protect against evolving threats like NoaBot.