NoaBot: A New Worm Targets Linux IoT Devices

NoaBot worm
Global geolocation heatmap of NoaBot attack sources

In a recent report, Akamai, a leading cybersecurity firm, reveals that an unprecedented, self-repairing malware has compromised Linux devices globally over the past year, surreptitiously installing crypto-mining programs that ingeniously conceal their operation.

The worm is a modified version of the Mirai botnet – a malicious software that infects servers, routers, webcams, and other Internet of Things (IoT) devices running on Linux. First emerged in 2016, Mirai was notorious for orchestrating large-scale DDoS attacks. Unlike Mirai, which is aimed at DDoS attacks, this new worm, dubbed NoaBot, installs crypto miners, enabling attackers to exploit the resources of infected devices for cryptocurrency mining.

NoaBot worm

Global geolocation heatmap of NoaBot attack sources

Experts at Akamai highlight NoaBot’s extraordinary capabilities in concealing its actions. The malware employs unconventional libraries and encryption methods to impede detection and analysis.

Distinctive features of this new worm include:

  • Instead of attacking devices through Telnet like the standard Mirai, it exploits vulnerabilities in SSH connections.
  • NoaBot spreads using weak SSH passwords, not Telnet as Mirai did.
  • It installs a modified version of the XMRig crypto miner.
  • The configuration for connecting the miner to a pool is encrypted and decrypted just before launching XMRig, complicating the tracking of attackers’ wallet addresses.
  • It likely utilizes a private pool for mining.

NoaBot disguises its activity using non-standard libraries and string obfuscation, making it harder to detect by antivirus software and analyze the code.

Despite its simplicity, NoaBot demonstrates sophisticated methods of concealing its activity and complicating analysis. Akamai monitored the worm’s activity over the year and recorded attacks from 849 different IP addresses worldwide, suggesting widespread infection.

Akamai has published detailed indicators of compromise (IoCs) that can be used to check devices for infection. The extent of the worm’s spread remains uncertain, but its unconventional methods are causing concern among researchers.

Akamai notes that limiting arbitrary SSH access to networks significantly reduces the risk of infection. Additionally, the use of strong (non-standard or randomly generated) passwords enhances security since the malware uses a basic list of guessable passwords. Specialists have posted the sets of credentials used by the NoaBot worm on GitHub.

At first glance, NoaBot may not seem overly complex. It is a variant of Mirai and the XMRig crypto miner – similar malicious software is quite prevalent. However, the methods of obfuscation and additions to the original code paint a completely different picture of the attackers’ capabilities.