Cryptomining Campaign Unleashes Modified Mirai Botnet

A new cryptomining campaign uses a quirkily customized Mirai botnet to spread cryptomining malware designed to hide the digital wallet that collects the ill-gotten gains.

See Also: JavaScript and Blockchain: Technologies You Can’t Ignore

Security researchers at Akamai dubbed the Mirai variation NoaBot and said that it uses a unique SSH scanner but also exhibits an unexpected touch of immaturity.

Mirai is a wormable botnet infamous for targeting Linux-based IoT devices. Numerous versions of Mirai are in the wild thanks to an anonymous coder who leaked source code online before its three original authors pleaded guilty in 2017.

Akamai researchers first spotted NoaBot in early 2023. They also identified a link between NoaBot and the P2PInfect worm, discovered in July 2023 by Unit 42.

Unlike the original Mirai, NoaBot spreads malware through secure shell protocol – not Telnet. The SSH scanner “seems to be custom made, and quite peculiar,” Akamai wrote. Once it establishes a connection, it sends a string “hi.” It makes sense to establish and quickly terminate a connection from an infected system. “Hi” is not a valid SSH packet, so Wireshark marks it as malformed.

“Why does it bother sending ‘hi,’ though? That’s a mystery,” Akamai wrote.

Early versions of the malware included song lyrics embedded into the code, from “Who’s Ready for Tomorrow” by Rat Boy and IBDY

To enhance its cryptomining capabilities, NoaBot drops a modified version of the XMRig miner, obfuscating its configuration and using a custom mining pool to avoid exposure of the wallet address to make tracking the payments and estimating profitability challenging.

Akamai discovered over 800 distinct attacking IPs in 2023, distributed evenly across the globe. Almost 10% of all attacks originated from China.

The malware comes in a static compilation and lacks symbols, making reverse engineering more challenging due to its nonstandard compilation. Newer samples of the botnet hide their strings, making it tougher to extract details or navigate through disassembled parts. The encoding used is straightforward to reverse-engineer.

The botnet also added command-line arguments and the most noteworthy one is the “noa” flag, which causes the botnet to install a persistence method in the form of a crontab entry that runs after a reboot. This flag has been observed to be extensively used in the wild.