Security risk: NoaBot affects Linux systems

The panorama of cyber threats is enriched by a new threat: NoaBot. This malware is based on the structure of Mirai, which is known for creating havoc in 2016 through DDoS attacks. Unlike its progenitor, NoaBot aims to install cryptominers on Linux devices, exploiting their resources for cryptocurrency mining. Discovered by Akamai, this dangerous software attempts to crack vulnerable SSH passwords, showing an evolution in cybercriminals' strategy.

Innovative masking methods for NoaBot

A peculiarity of NoaBot is its method of hiding mining activity. Cryptominers normally send the extracted cryptocurrencies directly to the wallets, a process that is easily traceable by researchers. NoaBot, on the other hand, encrypts the configuration settings and reveals them only at the time of execution in memory, changing the typical configuration variable with its own. This makes it much more complex to identify and monitor attacker wallets.

Akamai's research and the diffusion of NoaBot

Over the past year, Akamai has used honeypots to track NoaBot activity, identifying attacks from 849 different IPs. These IPs are distributed across the world, with a significant number coming from China. It is unclear whether NoaBot's reach is limited to monitored devices or whether it is broader, making the botnet potentially larger in size.

Recognize and counter NoaBot

To detect and protect against NoaBot, Akamai has provided a set of indicators of compromise. This malware, being compiled with the UClibc library rather than GCC like Mirai, often evades antivirus systems, being classified differently. It also hides its execution in random folders within the /lib directory. Akamai on its blog provides detailed technical analysis and resources such as the Infection Monkey tool to assist in testing and finding infections.