A new botnet malware called PumaBot, created in Go and designed to attack Linux-based IoT devices, was recently discovered. How does it work? Basically, it tries to brute-force SSH passwords in order to sneak in and install its malicious software.
The curious thing about PumaBot is that it doesn't go around scanning the entire internet indiscriminately. Instead, it gets straight to the point: it attacks specific IP addresses that it pulls from a list sent by its command server (C2). In other words, it knows exactly who it wants to target.
PumaBot is a botnet that has attracted attention for its targeted and precise behavior. Instead of scanning the entire internet for random victims, this malware receives a list of specific IP addresses from its command and control (C2) server, in this case, ssh.ddos-cc.org.
From that list, it attempts to enter through port 22 (the classic port for SSH connections) using brute force attacks. In other words, it tries combinations of usernames and passwords until it finds one that works.
During this process, the malware searches for the string “Pumatronix,” which suggests that the main targets could be surveillance camera systems or traffic control devices, probably from a particular vendor.
When it finds a device that matches what it is looking for, PumaBot receives a batch of credentials to test access. If it manages to get in, it runs the uname -a command to obtain information about the system and confirm that it is not a honeypot trap (a common technique for hunting malware).
Once installed, the botnet saves its main file, called “jierui,” in the /lib/redis folder and configures a service called redis.service to start automatically with the system. This allows it to survive reboots and remain active on the device.
To ensure that it cannot be easily removed, it also injects its own SSH key into the authorized_keys file, giving it a permanent backdoor even if someone deletes the main malware. With control secured, PumaBot can receive commands to:
Stealing information
Uploading more malware
Moving laterally to other connected devices
Some of the malicious payloads detected include:
Automatic update scripts that keep the malware up to date
PAM rootkits that replace the pam_unix.so file, key to user authentication in Linux
Daemons or hidden processes such as a binary called “1”
One of these malicious authentication system (PAM) modules captures SSH access data (both local and remote logins) and saves it to a text file called con.txt. Another component of the malware, known as the “watcher,” constantly monitors that file and exfiltrates the information to the attacker's server as soon as it detects something new.
Writing credentials to a text file (Source: Darktrace)
After stealing the information, PumaBot deletes the text file where it stored the credentials, leaving the system clean and with no obvious traces of what happened. This makes it more difficult for any administrator to detect that there has been an intrusion.
For now, it is unclear how large this botnet is or how effective its campaigns have been. There is also no clear data on how many IP addresses are actually on its target list.
What is clear is that PumaBot is not content with just making noise. Instead of using infected devices for more basic tasks such as launching DDoS attacks or creating proxy networks, it seems to be aiming for something more serious: accessing corporate networks from the inside and deepening the attack from there.
Read more: Stuxnet: The Virus that Paralyzed 1,000 Machines in a Nuclear Plant
If you have cameras, routers, sensors, or other devices connected to the internet, it's worth taking precautions. Here are some key steps to protect yourself:
Update the firmware to the latest version available.
Change the default passwords (yes, admin/admin won't work!).
Put your devices behind a firewall and limit remote access if you don't need it.
Isolate them from the rest of your network, especially from more sensitive equipment or devices with important data.
At the end of the day, keeping your devices secure is much easier than dealing with an intrusion. Better safe than sorry, right?
Applying best practices such as keeping firmware up to date, changing default passwords, and segmenting networks is an excellent first step. But in the face of increasingly sophisticated threats such as PumaBot, that's often not enough.
That's where TecnetProtect comes in, a solution designed to go far beyond the basics. It offers real-time protection, intrusion detection, constant device monitoring, isolation of sensitive networks, and security patch automation. Everything is designed to shield your infrastructure and prevent attacks like PumaBot from breaking into your network.
And if you already have solutions that protect your data or back up your information, TecnetProtect can perfectly complement that layer of security, focusing on protecting the physical and logical environment where that data resides. The key is to combine different levels of defense:
Protect your data.
Protect your devices.
Protect your network.