In recent cybersecurity developments, a novel Mirai-based botnet known as Mirai NoaBot has emerged, posing a significant threat to Linux servers since the start of 2023. Akamai’s telemetry data, derived from honeypots, reveals a steady growth in NoaBot infections, with a peak in size recorded just last month.
This blog post delves into the intricacies of FTC warning on NoaBot malware, shedding light on its origin, modus operandi, and the measures organizations can take to protect their systems
Unveiling Mirai NoaBot’s Tactics
Akamai researchers uncovered that NoaBot relies on SSH credentials dictionary attacks for lateral movement. With over 800 unique IP addresses displaying signs of infection worldwide, 10% of these instances are traced back to China. NoaBot exploits SSH server vulnerabilities often overlooked by organizations – plain old SSH credentials. The FTC alert on crypto server attacks emphasizes the growing threat landscape in the digital space.
Evolution from Mirai to NoaBot
Mirai, initially a DDoS botnet in 2016, set the stage for subsequent Linux self-propagating botnets, with some focusing on DDoS attacks, others on crypto-mining, and a few on both. NoaBot, a derivative of Mirai, stands out for its modifications, primarily replacing the Telnet scanner with an SSH scanner. 
This shift makes sense, as Linux servers, unlike embedded devices, are more likely to have SSH enabled. Therefore, protecting against Mirai NoaBot is paramount for ensuring the security of Linux servers in the face of evolving cyber threats.
NoaBot’s Unique Features
The creators of NoaBot implemented significant alterations to the Mirai source code, ensuring a distinctive identity. They replaced the compiler from GCC to uClib, rendering its binary code significantly different from Mirai. Notably, NoaBot’s SSH scanner leaves a clear signature – upon an accepted SSH connection, the botnet client sends the unconventional message “hi,” which can be used to create a firewall signature.
Persistence Mechanisms and Backdoor Functionality
NoaBot introduces a persistence mechanism named “noa,” ensuring its continued presence even if password-based authentication is disabled. This mechanism involves adding an attacker-controlled key to the SSH-authorized keys. Moreover, the cryptocurrency mining malware bot acts as a backdoor, downloading additional binaries and creating a crontab entry to ensure it starts after a system reboot.
Crypto Mining Server Attacks
NoaBot incorporates XMRig, a widely used open-source cryptocurrency mining program. The threat actors behind NoaBot have, however, made advanced modifications to XMRig, concealing and encrypting its configuration, particularly the IP address of the mining pool. Notably, the researchers speculate that the threat actors run a private pool, eliminating the need to specify a wallet and thereby maintaining control over the collected cryptocurrency.
P2PInfect Connection
The Akamai researchers have identified a potential connection between NoaBot’s creators and a custom version of P2PInfect, a self-replicating worm written in Rust. P2PInfect targets Redis servers, exploiting a Lua vulnerability. 
While it remains unclear why the threat actors shifted from Mirai to P2PInfect, the researchers suggest that the use of custom code may indicate a desire for increased difficulty in reverse engineering.
Mirai NoaBot Protection Protocols
Cybersecurity for SSH servers is a critical aspect of safeguarding sensitive data and maintaining network integrity. Akamai’s team has proactively shared a list of indicators of compromise on their GitHub repository, along with YARA detection signatures tailored to identify NoaBot binaries.
In addition to utilizing these resources, organizations are strongly advised to adopt standard SSH hardening practices. This includes restricting SSH access to trusted IP addresses and implementing key-based authentication, which are effective measures against dictionary attacks.
Conclusion
As the cybersecurity landscape continues to evolve, Mirai NoaBot cyber threats highlight the importance of proactive defense measures. By understanding the tactics employed by such botnets and adopting best practices, organizations can fortify their systems against unauthorized access, data breaches, and potential disruption. Vigilance, continuous monitoring, and adherence to security protocols are paramount in safeguarding against the ever-adapting IoT devices security risks.
Organizations must stay informed about emerging malicious activities in cryptocurrency mining and leverage the available resources for detection and prevention. In addition, they must also consider automated patching solutions to minimize downtime and ensure robust security protocols.
The sources for this piece include articles in The Hacker News and CSO.
The post Mirai NoaBot: Protect Servers From Crypto Mining Threats appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/mirai-noabot-protect-servers-from-crypto-mining-threats/


 
															 Bitcoin
Bitcoin  Ethereum
Ethereum  Tether
Tether  XRP
XRP  BNB
BNB  USDC
USDC  Lido Staked Ether
Lido Staked Ether  Dogecoin
Dogecoin  TRON
TRON  Cardano
Cardano  Wrapped stETH
Wrapped stETH  Wrapped Bitcoin
Wrapped Bitcoin  Wrapped Beacon ETH
Wrapped Beacon ETH  Figure Heloc
Figure Heloc  Hyperliquid
Hyperliquid  Chainlink
Chainlink  Bitcoin Cash
Bitcoin Cash  Wrapped eETH
Wrapped eETH  Stellar
Stellar  Ethena USDe
Ethena USDe  Sui
Sui  USDS
USDS  Binance Bridged USDT (BNB Smart Chain)
Binance Bridged USDT (BNB Smart Chain)  WETH
WETH  Avalanche
Avalanche  LEO Token
LEO Token  Coinbase Wrapped BTC
Coinbase Wrapped BTC  Hedera
Hedera  Litecoin
Litecoin  USDT0
USDT0  Monero
Monero  WhiteBIT Coin
WhiteBIT Coin  Shiba Inu
Shiba Inu  Zcash
Zcash  Mantle
Mantle  Toncoin
Toncoin  Cronos
Cronos  Ethena Staked USDe
Ethena Staked USDe  Polkadot
Polkadot  Dai
Dai  World Liberty Financial
World Liberty Financial  Bittensor
Bittensor  Uniswap
Uniswap  MemeCore
MemeCore  Aave
Aave  Ethena
Ethena  OKB
OKB  sUSDS
sUSDS  Bitget Token
Bitget Token  Pepe
Pepe