The worm is a customized version of Mirai, the botnet malware that infects Linux-based servers, routers, web cameras, and other so-called Internet of Things devices. Mirai came to light in 2016 when it was used to deliver record-setting distributed denial-of-service attacks that paralyzed key parts of the Internet that year. The creators soon released the underlying source code, a move that allowed a wide array of crime groups from around the world to incorporate Mirai into their own attack campaigns. Once taking hold of a Linux device, Mirai uses it as a platform to infect other vulnerable devices, a design that makes it a worm, meaning it self-replicates. 该蠕虫是 Mirai 的定制版本,Mirai 是一种僵尸网络恶意软件,可感染基于 Linux 的服务器、路由器、网络摄像头和其他所谓的物联网设备。Mirai 于 2016 年曝光,当时它被用于提供创纪录的分布式拒绝服务攻击,导致当年互联网的关键部分瘫痪。创作者很快发布了底层源代码,此举允许来自世界各地的众多犯罪集团将 Mirai 纳入他们自己的攻击活动中。一旦掌握了 Linux 设备,Mirai 就会将其用作感染其他易受攻击设备的平台,这种设计使其成为蠕虫,这意味着它可以自我复制。
Dime-a-dozen malware with a twist
Traditionally, Mirai and its many variants have spread when one infected device scans the Internet looking for other devices that accept Telnet connections. The infected devices then attempt to crack the telnet password by guessing default and commonly used credential pairs. When successful, the newly infected devices target additional devices using the same technique. Mirai has primarily been used to wage DDoSes. Given the large amounts of bandwidth available to many such devices, the floods of junk traffic are often huge, giving the botnet as a whole tremendous power.
On Wednesday, researchers from network security and reliability firm Akamai revealed that a previously unknown Mirai-based network they dubbed NoaBot has been targeting Linux devices since at least last January. Instead of targeting weak telnet passwords, the NoaBot targets weak passwords connecting SSH connections. Another twist: Rather than performing DDoSes, the new botnet installs cryptocurrency mining software, which allows the attackers to generate digital coins using victims’ computing resources, electricity, and bandwidth. The cryptominer is a modified version of XMRig, another piece of open source malware. More recently, NoaBot has been used to also deliver P2PInfect, a separate worm researchers from Palo Alto Networks revealed last July.
Akamai has been monitoring NoaBot for the past 12 months in a honeypot that mimics real Linux devices to track various attacks circulating in the wild. To date, attacks have originated from 849 distinct IP addresses, almost all of which are likely hosting a device that’s already infected. The following figure tracks the number of attacks delivered to the honeypot over the past year.
“On the surface, NoaBot isn’t a very sophisticated campaign—it’s ‘just’ a Mirai variant and an XMRig cryptominer, and they’re a dime a dozen nowadays,” Akamai Senior Security Researcher Stiv Kupchik wrote in a report Wednesday. “However, the obfuscations added to the malware and the additions to the original source code paint a vastly different picture of the threat actors’ capabilities.”
The most advanced capability is how NoaBot installs the XMRig variant. Typically, when crypto miners are installed, the wallets’ funds are distributed to are specified in configuration settings delivered in a command line issued to the infected device. This approach has long posed a risk to threat actors because it allows researchers to track where the wallets are hosted and how much money has flowed into them.
NoaBot uses a novel technique to prevent such detection. Instead of delivering the configuration settings through a command line, the botnet stores the settings in encrypted or obfuscated form and decrypts them only after XMRig is loaded into memory. The botnet then replaces the internal variable that normally would hold the command line configuration settings and passes control to the XMRig source code.
Kupchik offered a more technical and detailed description:
In the XMRig open source code, miners can accept configurations in one of two ways — either via the command line or via environment variables. In our case, the threat actors chose not to modify the XMRig original code and instead added parts before the main function. To circumvent the need for command line arguments (which can be an indicator of compromise IOC and alert defenders), the threat actors had the miner replace its own command line (in technical terms, replacing argv) with more “meaningful” arguments before passing control to the XMRig code. The botnet runs the miner with (at most) one argument that tells it to print its logs. Before replacing its command line, however, the miner has to build its configuration. First, it copies basic arguments that are stored plaintext— the rig-id flag, which identifies the miner with three random letters, the threads flags, and a placeholder for the pool’s IP address (Figure 7).
Curiously, because the configurations are loaded via the xmm registers, IDA actually misses the first two loaded arguments, which are the binary name and the pool IP placeholder. 奇怪的是,由于配置是通过 xmm 寄存器加载的,因此 IDA 实际上错过了前两个加载的参数,即二进制名称和池 IP 占位符。
Next, the miner decrypts the pool’s domain name. The domain name is stored, encrypted, in a few data blocks that are decrypted via XOR operations. Although XMRig can work with a domain name, the attackers decided to go the extra step, and implemented their own DNS 接下来,矿工解密矿池的域名。域名被存储、加密,存储在几个数据块中,这些数据块通过XOR操作解密。尽管 XMRig 可以使用域名,但攻击者决定采取额外的步骤,并实施自己的 DNS resolution function. They communicate directly with Google’s DNS server (8.8.8.8) and parse its response to resolve the domain name to an IP address. 解析功能。它们直接与 Google 的 DNS 服务器 (8.8.8.8) 通信,并解析其响应以将域名解析为 IP 地址。
The last part of the configuration is also encrypted in a similar way, and it is the passkey for the miner to connect to the pool. All in all, the total configuration of the miner looks something like this: 配置的最后一部分也以类似的方式加密,它是矿工连接到矿池的密钥。总而言之,矿机的总配置如下所示:
-o --rig-id --threads –pass espana*tea
Notice anything missing? Yep, no wallet address. 发现有什么遗漏了吗?是的,没有钱包地址。
We believe that the threat actors chose to run their own private pool instead of a public one, thereby eliminating the need to specify a wallet (their pool, their rules!). However, in our samples, we observed that miner’s domains were not resolving with Google’s DNS, so we can’t really prove our theory or gather more data from the pool, since the domains we have are no longer resolvable. We haven’t seen any recent incident that drops the miner, so it could also be that the threat actors decided to depart for greener pastures 我们认为,威胁行为者选择运行自己的私人池而不是公共池,从而消除了指定钱包(他们的池,他们的规则!然而,在我们的样本中,我们观察到矿工的域名没有用谷歌的DNS解析,所以我们无法真正证明我们的理论或从池中收集更多数据,因为我们拥有的域名不再是可解析的。我们最近没有看到任何让矿工掉落的事件,所以也可能是威胁行为者决定离开去更绿色的牧场
