Thursday, January 23, 2025
HomeCyber AttackMirai-Based NoaBot Launches a DDoS Attack on Linux Devices

Mirai-Based NoaBot Launches a DDoS Attack on Linux Devices

Published on

SIEM as a Service

Follow Us on Google News

Hackers use the Mirai botnet to launch large-scale Distributed Denial of Service (DDoS) attacks by exploiting vulnerable Internet of Things (IoT) devices. 

Mirai’s ability to recruit a massive number of compromised devices allows attackers to do the following things to the targeted online services or websites:

  • Dominate
  • Disrupt

Cybersecurity researchers at Akamai recently discovered a new Mirai-based botnet, “NoaBot, ” that is actively attacking Linux devices.

Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Technical Analysis

NoaBot primarily targets Linux IoT devices for DDoS attacks. Mirai botnet was initially identified in 2016, and its source code is publicly available, leading to various variants appearing. 

However, NoaBot initially surfaced in early 2023 and is evolving with:-

  • Obfuscations
  • C2 changes

Not only that even researchers also noted several incidents of dropping P2PInfect worm samples which link both campaigns.

NoaBot mirrors Mirai’s capabilities but diverges in code. Unlike Mirai’s Telnet-based spreader, NoaBot uses SSH with a unique “hi” connection. 

SSH packet with the ‘hi’ string (Source – Akamai)

While embedded song lyrics in early samples remain unexplained, the developers of this botnet removed the lyrics in the later versions. 

NoaBot alters Mirai by employing a distinct SSH credential dictionary and introducing post-breach functions like:-

  • Installing backdoors
  • Spreading to new victims

Unlike Mirai, NoaBot is compiled with uClibc, which helps in altering antivirus detection to SSH scanner or generic trojan signatures, and the following things complicate the reverse engineering:-

  • Statically compiled
  • Symbol-stripped
  • Obfuscates strings

Newer samples introduce command-line arguments, including “noa” for persistence via crontab entry. The “Noa-” prefix in antivirus detections suggests widespread use and the evolution of post-breach operations.

The miner is a self-compiled XMRig variant that extracts configurations before execution. However, instead of using the following things, it introduces code before mining logic:

  • Command line
  • Plaintext

The XMRig configuration usually reveals the following things:

  • Mining pool details
  • Wallet addresses

Apart from this, the threat actors evade detection by dynamically modifying the command line and encrypting the pool details by communicating with Google’s DNS for domain resolution.

In 2023, 849 source IPs globally attacked honeypots, with a notable hotspot in China contributing to 10% of all attacks. 

Global geolocation heatmap of NoaBot attack sources (Source – Akamai)

849 distinct IP addresses hit honeypots in 2023. Their global activity is quite evenly distributed, according to their geolocation data. Given that the software is wormable, it stands to reason that each new victim also becomes an attacker. On the other hand, China is the standout location for all the action.

Recommendations

To secure networks, cybersecurity researchers recommend:

  • Limit SSH access.
  • Always use strong passwords.
  • Do not use any default or used passwords. 
  • Shared malware credential sets on GitHub aid protection. 
  • Monitor the binary names, process names, and cron jobs to detect the malware. 
  • Access IOC CSV files and YARA signatures in the repository. 
  • Test environments with an Infection Monkey configuration.
  • Employ the cryptojacking plug-in to assess defenses against stronger credentials.

Try Kelltron’s cost-effective penetration testing services to assess and evaluate the security posture of digital systems –

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Nnice Ransomware Attacking Windows Systems With Advanced Encryption Techniques

CYFIRMA's Research and Advisory team has identified a new strain of ransomware labeled "Nnice,"...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...

Murdoc Botnet Exploiting AVTECH Cameras & Huawei Routers to Gain Complete Control

Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc,...

New Supply Chain Attack Targeting Chrome Extensions to Inject Malicious Code

A sophisticated supply chain attack targeting Chrome browser extensions has come to light, potentially...