‘Yet another Mirai-based botnet’ is spreading an illicit cryptominer


A well-designed operation is using a version of the infamous Mirai malware to secretly distribute cryptocurrency mining software, researchers said Wednesday.

Calling it NoaBot, researchers at Akamai said the campaign has been active for about a year, and it has various quirks that complicate analysis of the malware and point to highly-skilled threat actors.

The NoaBot botnet spreads over the Linux SSH protocol, which provides secure remote access to a computer or server over a network. As part of the attack, the malware installs a modified version of the XMRig miner on infected devices.

The Akamai researchers said that the details get fuzzier from there. The hackers take great care to hide the wallet address where the cryptominer sends mined coins. And other aspects of the campaign are difficult to size up.

“The malware obfuscation and custom code show a high level of operation security,
which usually indicates mature threat actors, but the naming of the malware’s binaries
and some its included strings are quite childish,” the researchers said. “This complicates attribution.”

For example, the malware calls one Unix socket “NunzombiE” and also includes lyrics from the pop song “Who’s Ready for Tomorrow” by Rat Boy and IBDY.

“As far as we can tell, those lyrics served no purpose. Later samples did not have them,” the researchers said.

NoaBot does appear to have links, though, to P2PInfect, a worm first identified in July 2023. The most recent incidents spotted by Akamai used that malware instead of the original Mirai-based code.

“How do we know that it’s the same threat actors, not just some sort of collaboration? We aren’t 100% certain, but we’re close,” the researchers said. “It all boils down to the technical professionalism in the malware, coupled with a teenager’s maturity level in terms of inside jokes, including inserting profanities in the miner’s name, embedding gaming pop song lyrics in malware binaries, and sending ‘hi’ while scanning for open ports.”

Mirai variants proliferated after its original U.S.-based creators published the source code in 2016. Originally used for distributed denial-of-service (DDoS) attacks, Mirai eventually became a tool for other malicious activities.

In fact, the Akamai researchers said they might have ignored NoaBot — “yet another Mirai-based botnet” — if some of its attributes hadn’t been a bit odd. It helped “that NoaBot samples aren’t immediately detected as Mirai,” said Stiv Kupchik, a security researcher at Akamai.

“We usually dismiss Mirai samples because they’re so prevalent,” Kupchik said.

The Akamai researchers said they hope their discoveries will be useful the next time the operation pops up.

“On the surface, NoaBot isn’t a very sophisticated campaign — it’s “just” a Mirai variant and an
XMRig cryptominer, and they’re a dime a dozen nowadays,” the researchers said. “However, the obfuscations added to the malware and the additions to the original source code paint a vastly different picture of the threat actors’ capabilities.”

Jonathan Greig contributed to this story.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Joe Warminsky is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

FBI Director: More countries interested in 2024 election interference

Next Post

‘Yet another Mirai-based botnet’ is spreading an illicit cryptominer

Related Posts

Google Patches Yet Another Actively Exploited Chrome Zero-Day Vulnerability

Google has rolled out fixes to address a set of nine security issues in its Chrome browser, including a new zero-day that has been exploited in the wild. Assigned the CVE identifier CVE-2024-4947, the vulnerability relates to a type confusion bug in the V8 JavaScript and WebAssembly engine. It was reported by Kaspersky researchers Vasily Berdnikov and Boris
Read More

Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack

Threat actors have been exploiting the newly disclosed zero-day flaw in Palo Alto Networks PAN-OS software dating back to March 26, 2024, nearly three weeks before it came to light yesterday. The network security company's Unit 42 division is tracking the activity under the name Operation MidnightEclipse, attributing it as the work of a single threat actor of
Read More