Listen to this Post
A new and increasingly sophisticated botnet, PumaBot, is making waves in the cybersecurity community for its targeted attacks on Linux IoT devices. Unlike traditional botnets, PumaBot doesn’t just scan the internet for vulnerable systems. Instead, it uses a more calculated method, fetching a list of targets from a command-and-control (C2) server to brute-force SSH credentials. This approach, along with other unique tactics, has cybersecurity researchers concerned about its potential for widespread damage. In this article, we’ll dive deeper into how PumaBot works, its features, and the implications for users of Linux IoT devices.
PumaBot: A New Threat to Linux IoT Devices
PumaBot is a Go-based Linux botnet that primarily targets Internet of Things (IoT) devices. What sets it apart from typical botnets is its method of operation. Rather than scanning the internet randomly, PumaBot retrieves a list of potential targets from a command-and-control server. This server provides a list of IP addresses that likely have open SSH ports, which PumaBot then uses to attempt brute-force logins.
Once PumaBot successfully accesses a device, it executes a series of commands that help it maintain persistence on the device. Researchers from Darktrace noted that the malware interacts with system service files, ensuring it can continue running even after the device reboots. PumaBot’s ability to disguise itself as a legitimate system file further helps it evade detection, making it harder for security systems to identify and eliminate it.
PumaBot vs. Pumatronix: Targeting IoT Devices
One of the most interesting features of PumaBot is its targeting strategy. After obtaining the list of IP addresses, the malware specifically targets devices with open SSH ports. It also checks for the presence of Pumatronix devices, a company that manufactures surveillance and traffic camera systems. This suggests that PumaBot may be either evading certain devices or deliberately targeting IoT equipment.
Before executing its payload, PumaBot runs a series of environment checks, using functions like “trySSHLogin()” to ensure the device is not a honeypot or unsuitable for execution. It also collects detailed system information by running the “uname -a” command, which returns valuable data such as the device’s IP address, OS, kernel version, and architecture. All of this data is sent back to the C2 server in a JSON payload, where it can be analyzed for further exploitation.
Escalating Threat: Malicious Components and Persistence
Beyond its initial actions, PumaBot adds its own SSH keys to authorized user files, ensuring it maintains access to the device even if the SSH service is removed. Additionally, Darktrace researchers discovered related binaries that seem to be part of a larger Linux-targeted campaign. These binaries include:
ddaemon: A Go-based backdoor.
networkxm: A brute-force SSH tool.
Pam_unix.so_v131: A rootkit that steals login credentials.
1: A binary used for monitoring malicious files.
These components work in tandem to further compromise devices. For instance, networkxm behaves similarly to PumaBot, checking its integrity and contacting the C2 server for updates. Pam_unix.so_v131 steals user credentials by interrupting login attempts and storing the information for later use.
A Semiautomated Botnet Campaign
While PumaBot
What Undercode Say:
Undercode believes that the PumaBot campaign represents a significant shift in the tactics employed by botnets targeting IoT devices. Traditionally, botnets would use mass scanning techniques to identify vulnerabilities, but PumaBot’s method of targeting specific devices with open SSH ports is much more efficient and calculated. By pulling a list of targets from a central server, PumaBot can focus its efforts on the most vulnerable devices, reducing the chances of detection and increasing its chances of success.
Furthermore, the inclusion of components like Pumatronix-specific checks and rootkits suggests that PumaBot’s creators are actively evolving their tactics. This isn’t just a case of one-time exploitation, but rather a sustained campaign designed to infiltrate, control, and potentially exfiltrate sensitive data from IoT devices.
The fact that PumaBot is semiautomated suggests that it can scale rapidly. Once one device is compromised, it can serve as a stepping stone to further infections. This means that organizations and individuals with vulnerable Linux-based IoT devices need to adopt a proactive security strategy to combat this growing threat.
Fact Checker Results:
1. PumaBots Targeting Method: Darktraces findings about
- Persistence Mechanism: The inclusion of SSH keys and disguising itself as system files confirms PumaBot’s focus on maintaining long-term access to infected devices.
Malicious Binaries: The related binaries, such as ddaemon and networkxm, highlight PumaBot’s broad functionality and its integration into a larger botnet campaign.
Prediction:
Given PumaBot’s method of operation, it is likely to continue evolving and may become even more sophisticated in its targeting tactics. As the botnet is semiautomated, we can expect to see a significant increase in its activity over the coming months, especially as it adapts to evade detection by cybersecurity systems. For Linux IoT device users, it’s crucial to monitor for unusual SSH login attempts and regularly audit system configurations to mitigate the risk of infection. The future of botnet campaigns like PumaBot may involve even more automation, making it harder for traditional defenses to keep up.
References:
Reported By: www.darkreading.com
Extra Source Hub:
https://www.medium.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
