IoT Security / Cryptocurrency June 18, 2025 2 min read 38 views

New Go-Based Botnet Targets Linux IoT Devices to Steal SSH Credentials and Mine Crypto

A newly discovered botnet called PumaBot is targeting Linux-based IoT devices using SSH brute-force attacks to gain access, install malware, and mine cryptocurrency while evading detection through clever persistence techniques.

K
Kyle
Published 1 week ago
New Go-Based Botnet Targets Linux IoT Devices to Steal SSH Credentials and Mine Crypto

A newly discovered malware campaign dubbed 🐾 PumaBot is actively targeting Linux-based IoT devices, using Go-based tooling to perform SSH brute-force attacks and install cryptominers on compromised systems.

πŸšͺ Initial Access

Instead of scanning the internet for vulnerable hosts, PumaBot connects to a C2 server (ssh.ddos-cc[.]org) to retrieve a list of IP addresses with open SSH ports. It then attempts to brute-force login credentials and gains remote access to the systems.

Once inside, PumaBot:

  • Exfiltrates system information 🧠
  • Establishes persistence πŸ”’
  • Executes remote commands from the attacker πŸ’»

πŸ•΅οΈ Detection Evasion

To avoid detection, the malware:

  • Writes itself to /lib/redis, mimicking a Redis system file
  • Creates a fake systemd service in /etc/systemd/system (e.g., redis.service or mysqI.service)
  • Checks for honeypot environments
  • Searches for the string "Pumatronix" to either target or avoid specific hardware

πŸ’Έ Cryptojacking Activity

PumaBot is suspected to deploy the XMRig miner by executing commands like xmrig and networkxm. Although these are issued without full paths, it is believed the actual payloads are downloaded or extracted elsewhere on the system.

🧩 Additional Components

Darktrace’s investigation revealed several related tools and scripts:

  • ddaemon 🐚: Go-based backdoor that retrieves networkxm and runs installx.sh
  • networkxm πŸ”‘: Brute-force tool fetching password lists and scanning other IPs
  • installx.sh πŸ“œ: Downloads jc.sh from 1.lusyn[.]xyz, makes it executable, runs it, and clears bash history
  • jc.sh πŸ§ͺ: Replaces pam_unix.so with a malicious version and downloads a binary named 1
  • pam_unix.so πŸ•³οΈ: Rootkit that logs credentials from successful logins to /usr/bin/con.txt
  • 1 πŸ“€: Watches for the con.txt file and exfiltrates its contents to the C2

⚠️ Security Recommendations

Given PumaBot’s worm-like behavior, security teams are advised to:

  • πŸ” Monitor for unusual or failed SSH login attempts
  • 🧾 Regularly audit systemd services
  • πŸ” Review authorized_keys for unknown entries
  • 🚫 Enforce strict firewall rules to limit SSH exposure
  • 🚦 Filter HTTP traffic with suspicious headers like X-API-KEY: jieruidashabi

πŸ’‘ PumaBot is a stealthy, Go-based SSH threat using automation, obfuscation, and legitimate-looking files to persist on infected Linux systems. Its focus on evasion and spread highlights the need for robust detection and response mechanisms.

The Hacker News | Darktrace Threat Analysis | May 28, 2025

Related Articles

πŸ›‘οΈ Ultimate Free Resources To Learn Ethical Hacking Online
Jun 23, 2025

πŸ›‘οΈ Ultimate Free Resources To Learn Ethical Hacking Online

πŸš€ Unlock Your Potential: Top-Tier Free Resources to Master Ethical Hacking Are you ready to dive into the exciting world of cybersecurity and become an ethical hacker β€” all without spending a cent? This comprehensive guide will equip you with the best free platforms, tools, and structured lead

Read more