NoaBot Worm Infects Linux Devices with Cryptocurrency Miners

Researchers at Akamai have discovered a new botnet called NoaBot that is attacking servers worldwide. NoaBot is based on the self-propagating Mirai worm, but instead of using Telnet, it leverages SSH for its attacks and installs a cryptocurrency miner on infected systems.

NoaBot Targets Linux Devices

According to experts, NoaBot has been targeting Linux devices and has been active since at least January 2023. Unlike the original Mirai malware, which focused on DDoS attacks, NoaBot uses a modified version of the XMRig miner to mine cryptocurrency.

NoaBot Activity Observed by Akamai

Akamai specialists have been monitoring NoaBot’s activity for the past 12 months. So far, they have identified 849 unique IP addresses worldwide that are launching attacks, most of which are likely already infected with NoaBot.

How NoaBot Works

At first glance, NoaBot may seem like just another Mirai variant combined with an XMRig cryptominer, both of which are common today. However, researchers note that the malware’s obfuscation and modifications to the original source code reveal a much more sophisticated threat.

One of the most interesting features of NoaBot is how it uses the XMRig miner. Typically, after a miner is installed, funds are sent to wallets specified in the configuration, which is passed to the infected device via the command line. This method allows researchers to track wallet locations and the amount of funds received, posing a risk to the operators of the malicious campaign.

NoaBot uses a different technique to prevent such tracking. The malware stores its configuration in an encrypted or obfuscated form and only decrypts it after loading XMRig into memory. It then replaces the internal variable that usually holds the command-line configuration parameters and hands control over to XMRig.

Other Notable Features of NoaBot

• The malware is compiled using the UClibc library, whereas the standard Mirai uses GCC. This alternative library appears to change how antivirus products detect NoaBot, often classifying it as an SSH scanner or generic trojan rather than Mirai malware.
• NoaBot is statically compiled, making reverse engineering significantly more difficult.
• Strings are obfuscated and not stored in plain text, further complicating analysis for reverse engineers.
• The NoaBot binary runs from a randomly generated folder in the /lib directory, making infection harder to detect.
• The standard Mirai password dictionary has been replaced with a new, much larger list, so large that Akamai deemed it impractical to check it in full. Additionally, the usual Mirai Telnet scanner has been replaced with a custom SSH scanner.
• The malware has multiple post-infection capabilities, including installing a new authorized SSH key as a backdoor, downloading and executing additional binaries, and spreading to new devices.

Possible Connection to P2PInfect Botnet

Experts believe there are signs that NoaBot may be linked to another well-known botnet, P2PInfect. This theory is based on evidence that attackers have experimented with using P2PInfect instead of NoaBot in recent SSH server attacks, suggesting that hackers may be transitioning to a new custom malware.