Embedded Linux-based Internet of Things (IoT) devices have become the target of new botnets Come.
The botnet written in GO is designed to carry out brute force attacks on SSH instances to expand size and scale and provide additional malware to infected hosts.
“Malware does not scan the internet, but instead retrieves a list of targets from a command and control (C2) server and forces SSH credentials to force them to force them,” Darktrace said in an analysis shared with Hacker News. “When access is obtained, it receives a remote command and establishes persistence using the system services file.”
Botnet malware is designed to obtain initial access by successfully enhancing SSH credentials across a list of harvested IP addresses with open SSH ports. The list of IP addresses to the target is obtained from an external server (“ssh.ddos-cc(.)org”).
As part of a brute force attempt, the malware performs various checks to determine whether the system is appropriate and not a honeypot. Additionally, it shows attempts to check for the presence of the string “Pumatronix”, the manufacturer of surveillance and traffic camera systems, and to specifically single or exclude them.
The malware then collects basic system information and excludes it on the C2 server, then sets persistence and executes commands received from the server.
“Malware is trying to write itself to /lib /redis and disguise itself into a legitimate Redis system file,” says Darktrace. “Next, create a permanent SystemD service in /etc/systemd/system. This is either Redis.Service or MySqi.Service (notes the Capital I spelling) depending on what’s hardcoded in Malware.”
This will give the impression that the malware is benign and will survive the reboot. Two of the commands executed by the botnet are “xmrig” and “networkxm”. This indicates that compromised devices are being used illegally to mine cryptocurrency.
“I think the ultimate goal is to deploy CryptoMiner given the reference to Xmrig, but C2 was down at the time of analysis, so we can’t decide which commands were being sent or received.” “It could be that another payload, or CryptoMiner, was being sent from C2.”
However, the command is invoked without specifying a full path. This is an aspect that indicates that the payload is likely to be downloaded or unpacked elsewhere in the infected host. Darktrace said the campaign’s analysis revealed other related binaries that are said to be deployed as part of a broader campaign.
- ddaemon is a GO-based backdoor that retrieves the binary “networkxm” in “/usr/src/bao/networkxm” and runs the shell script “installx.sh”.
- NetworkXM is an SSH brute force tool similar to the early stages of a botnet by getting a password list from a C2 server and trying to connect via SSH via a list of target IP addresses.
- installx.sh is used to get another shell script “jc.sh” from “1.lusyn(.)xyz.
- JC.SH is configured to download the malicious “pam_unix.so” file from an external server, and uses it to replace the legitimate counterpart installed on the machine, and then retrieve another binary named “1” from the same server and execute it
- PAM_UNIX.SO acts as a rootkit that steals credentials by intercepting successful logins and writing them to a file.
- 1, written to “/usr/bin/” or used to monitor a file called “con.txt” and exclude that content on the same server
Given that the SSH brute force feature in botnet malware provides worm-like functionality, users need to review the approval_keys file to audit the auditable system on a regular basis, especially the failed attempts of rolgy. X-API-KEY: Jieruidashabi.
“Botnets represent a permanent GO-based SSH threat that leverages compromised systems with automated, credentials and native Linux tools.
“It demonstrates its intention to mimic legal binaries (e.g. Redis), abuse SystemD for persistence, and embed fingerprint logic to avoid detection in honeypots and restricted environments.”
