New PumaBot Botnet Targets Linux IoT Devices to Steal SSH Credentials and Mine Crypto

Embedded Linux-based Internet of Things (IoT) devices have become the target of a new botnet dubbed PumaBot.

Written in Go, the botnet is designed to conduct brute-force attacks against SSH instances to expand in size and scale and deliver additional malware to the infected hosts.

“Rather than scanning the internet, the malware retrieves a list of targets from a command-and-control (C2) server and attempts to brute force SSH credentials,” Darktrace said in an analysis shared with The Hacker News. “Upon gaining access, it receives remote commands and establishes persistence using system service files.”

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

The botnet malware is designed to obtain initial access via successfully brute-forcing SSH credentials across a list of harvested IP addresses with open SSH ports. The list of IP addresses to target is retrieved from an external server (“ssh.ddos-cc[.]org”).

As part of its brute-force attempts, the malware also performs various checks to determine if the system is suitable and is not a honeypot. Furthermore, it checks the presence of the string “Pumatronix,” a manufacturer of surveillance and traffic camera systems, indicating either an attempt to specifically single them out or exclude them.

The malware then proceeds to collect and exfiltrate basic system information to the C2 server, after which it sets up persistence and executes commands received from the server.

“The malware writes itself to /lib/redis, attempting to disguise itself as a legitimate Redis system file,” Darktrace said. “It then creates a persistent systemd service in /etc/systemd/system, named either redis.service or mysqI.service (note the spelling of mysql with a capital I) depending on what has been hardcoded into the malware.”

In doing so, it allows the malware to give the impression that it’s benign and also survive reboots. Two of the commands executed by the botnet are “xmrig” and “networkxm” indicating that the compromised devices are being used to mine cryptocurrency in an illicit manner.

However, the commands are launched without specifying the full paths, an aspect that signals that the payloads are likely downloaded or unpacked elsewhere on the infected host. Darktrace said its analysis of the campaign uncovered other related binaries that are said to be deployed as part of a broader campaign –

• ddaemon, a Go-based backdoor which is retrieve the binary “networkxm” into “/usr/src/bao/networkxm” and execute the shell script “installx.sh”
• networkxm, an SSH brute-force tool that functions similar to the botnet’s initial stage by fetching a password list from a C2 server and attempts to connect via SSH across a list of target IP addresses
• installx.sh, which is used to retrieve another shell script “jc.sh” from “1.lusyn[.]xyz,” grant it read, write, and execute permissions for all access levels, run the script, and clear bash history
• jc.sh, which is configured to download a malicious “pam_unix.so” file from an external server and use it to replace the legitimate counterpart installed on the machine, as well as retrieve and run another binary named “1” from the same server
• pam_unix.so, which acts as a rootkit that steals credentials by intercepting successful logins and writing them to the file “/usr/bin/con.txt”
• 1, which is used to monitor for the file “con.txt” being written or moved to “/usr/bin/” and then exfiltrate its contents to the same server

Given that the SSH brute-force capabilities of the botnet malware lends it worm-like capabilities, users are required to keep an eye out for anomalous SSH login activity, particularly failed login attempts, audit systemd services regularly, review authorized_keys files for the presence of unknown SSH keys, apply strict firewall rules to limit exposure, and filter HTTP requests with non-standard headers, such as X-API-KEY: jieruidashabi.

“The botnet represents a persistent Go-based SSH threat that leverages automation, credential brute-forcing, and native Linux tools to gain and maintain control over compromised systems,” Darktrace said.

“By mimicking legitimate binaries (e.g., Redis), abusing systemd for persistence, and embedding fingerprinting logic to avoid detection in honeypots or restricted environments, it demonstrates an intent to evade defenses.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.