Unknown worm compromises Linux devices for cryptomining operation

In a concerning revelation, researchers have identified a previously unknown self-replicating malware that has been infiltrating Linux devices worldwide for the past year. This malware, a custom version of Mirai, notorious for infecting Linux-based servers, routers, and Internet of Things (IoT) devices, exhibits a unique modus operandi by installing cryptomining malware with sophisticated concealment techniques.

Mirai, initially exposed in 2016 during record-setting distributed denial-of-service attacks, has since become a widely adopted tool by various cybercriminal groups globally. Once a Linux device is compromised, Mirai exploits it as a platform to infect other vulnerable devices, defining its classification as a worm due to its self-replicating nature.

The newly identified variant, named NoaBot, deviates from Mirai's traditional propagation method. Instead of exploiting Telnet connections with weak passwords, NoaBot targets SSH connections, adding a layer of complexity to its infiltration strategy. What sets NoaBot apart is its shift from typical DDoS attacks associated with Mirai to installing cryptocurrency mining software. This allows threat actors to leverage victims' computing resources, electricity, and bandwidth for mining digital coins.

Furthermore, NoaBot employs a modified version of XMRig, an open-source cryptomining malware, for its operations. Akamai, a network security and reliability firm, has been monitoring NoaBot for the past 12 months in a honeypot environment that mimics real Linux devices. The attacks, originating from 849 distinct IP addresses, have showcased the botnet's evolving capabilities.

Despite its seemingly straightforward nature, NoaBot introduces obfuscations and source code modifications that underscore the threat actors' sophistication. Notably, the malware employs an advanced technique to install the XMRig variant by storing configuration settings in encrypted or obfuscated form. These settings are decrypted only after XMRig is loaded into memory, replacing the conventional command line configuration method and enhancing the botnet's stealth capabilities.