Apr 13, 2024NewsroomCryptocurrency / Regulatory Compliance

A former security engineer has been sentenced to three years in prison in the U.S. for charges relating to hacking two decentralized cryptocurrency exchanges in July 2022 and stealing over $12.3 million.

Shakeeb Ahmed, the defendant in question, pled guilty to one count of computer fraud in December 2023 following his arrest in July.

“At the time of both attacks, Ahmed, a U.S. citizen, was a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills Ahmed used to execute the hacks,” the U.S. Department of Justice (DoJ) noted at the time.

While the name of the company was not disclosed, he was residing in Manhattan, New York, and working for Amazon before he was apprehended.

Court documents show that Ahmed exploited a security flaw in an unnamed cryptocurrency exchange’s smart contracts to insert “fake pricing data to fraudulently generate millions of dollars’ worth of inflated fees,” which he was able to withdraw.

Subsequently, he initiated contact with the company and agreed to return most of the funds except for $1.5 million if the exchange agreed not to alert law enforcement about the flash loan attack.

It’s worth noting that CoinDesk reported in early July 2022 that an unknown attacker returned more than $8 million worth of cryptocurrency to a Solana-based crypto exchange called Crema Finance, while keeping $1.68 million as a “white hat” bounty.

Ahmed has also been accused of carrying out an attack on a second decentralized cryptocurrency exchange called Nirvana Finance, siphoning $3.6 million in the process, ultimately leading to its shutdown.

“Ahmed used an exploit he discovered in Nirvana’s smart contracts to allow him to purchase cryptocurrency from Nirvana at a lower price than the contract was designed to allow,” the DoJ said.

“He then immediately resold that cryptocurrency to Nirvana at a higher price. Nirvana offered Ahmed a ‘bug bounty’ of as much as $600,000 to return the stolen funds, but Ahmed instead demanded $1.4 million, did not reach agreement with Nirvana, and kept all the stolen funds.”

The defendant then laundered the stolen funds to cover up the trail using cross-chain bridges to move the illicit digital assets from Solana to Ethereum and exchanging the proceeds into Monero using mixers like Samourai Whirlpool.

Besides the three-year jail term, Ahmed has been sentenced to three years of supervised release and ordered to forfeit approximately $12.3 million and pay restitution amounting more than $5 million to both the impacted crypto exchanges.

Apr 08, 2024NewsroomInvestment Scam / Mobile Security

Google has filed a lawsuit against two app developers for engaging in an “international online consumer investment fraud scheme” that tricked users into downloading bogus Android apps from the Google Play Store and other sources and stealing their funds under the guise of promising higher returns.

The individuals in question are Yunfeng Sun (aka Alphonse Sun) and Hongnam Cheung (aka Zhang Hongnim or Stanford Fischer), who are believed to be based in Shenzhen and Hong Kong, respectively.

The defendants are said to have uploaded about 87 crypto apps to the Play Store to pull off the social engineering scam since at least 2019, with over 100,000 users downloading them and leading to substantial financial losses.

“The gains conveyed by the apps were illusory,” the tech giant said in its complaint. “And the scheme did not end there.”

“Instead, when individual victims attempted to withdraw their balances, defendants and their confederates would double down on the scheme by requesting various fees and other payments from victims that were supposedly necessary for the victims to recover their principal investments and purported gains.”

While this kind of scam is typically referred to as pig butchering (aka shā zhū pán), Google said it “neither adopts nor endorses the use of this term.” It’s derived from the idea that victims are fattened up like hogs with the promise of lucrative returns before “slaughtering” them for their assets.

In September 2023, the U.S. Financial Crimes Enforcement Network (FinCEN) said these scams are perpetrated by criminal enterprises based in Southeast Asia that employ hundreds of thousands of people who are trafficked to the region by promising them high-paying jobs.

The fraudulent scheme entails the scammers using elaborate fictitious personas to target unsuspecting individuals via social media or dating platforms, enticing them with the prospect of a romantic relationship to build trust and convince them to invest in cryptocurrency portfolios that purport to offer high profits within a short span of time with an aim to steal their funds.

To create the appearance of legitimacy, the financially motivated actors are known to fabricate websites and mobile apps to display a bogus investment portfolio with large returns.

Sun and Cheung, said Google, lured victim investors to download their fraudulent apps through text messages using Google Voice to target victims in the U.S. and Canada. Other distribution methods include affiliate marketing campaigns that offer commissions for “signing up additional users” and YouTube videos promoting the fake investment platforms.

The company described the malicious activity as persistent and continuing, with the defendants “using varying computer network infrastructure and accounts to obfuscate their identities, and making material misrepresentations to Google in the process.”

It also accused them of violating the Racketeer Influenced and Corrupt Organizations Act (RICO), carrying out wire fraud, and breaching the Google Play App Signing Terms of Service, Developer Program Policies, YouTube’s Community Guidelines, as well as the Google Voice Acceptable Use Policy.

“Google Play can continue to be an app-distribution platform that users want to use only if users feel confident in the integrity of the apps,” Google added. “By using Google Play to conduct their fraud scheme, defendants have threatened the integrity of Google Play and the user experience.”

It’s worth noting that the problem is not limited to the Android ecosystem alone, as prior reports show that such bogus apps have also repeatedly made their way to the Apple App Store.

The development is the latest in a series of legal actions that Google has taken to avoid the misuse of its products. In November 2023, the company sued multiple individuals in India and Vietnam for distributing fake versions of its Bard AI chatbot (now rebranded as Gemini) to propagate malware via Facebook.

Mar 12, 2024The Hacker NewsCryptocurrency / Cybercrime

Threat hunters have discovered a set of seven packages on the Python Package Index (PyPI) repository that are designed to steal BIP39 mnemonic phrases used for recovering private keys of a cryptocurrency wallet.

The software supply chain attack campaign has been codenamed BIPClip by ReversingLabs. The packages were collectively downloaded 7,451 times prior to them being removed from PyPI. The list of packages is as follows –

BIPClip, which is aimed at developers working on projects related to generating and securing cryptocurrency wallets, is said to be active since at least December 4, 2022, when hashdecrypt was first published to the registry.

“This is just the latest software supply chain campaign to target crypto assets,” security researcher Karlo Zanki said in a report shared with The Hacker News. “It confirms that cryptocurrency continues to be one of the most popular targets for supply chain threat actors.”

In a sign that the threat actors behind the campaign were careful to avoid detection, one of the packages in question — mnemonic_to_address — was devoid of any malicious functionality, barring listing bip39-mnemonic-decrypt as its dependency, which contained the malicious component.

“Even if they did opt to look at the package’s dependencies, the name of the imported module and invoked function are carefully chosen to mimic legitimate functions and not raise suspicion, since implementations of the BIP39 standard include many cryptographic operations,” Zanki explained.

The package, for its part, is designed to steal mnemonic phrases and exfiltrate the information to an actor-controlled server.

Two other packages identified by ReversingLabs – public-address-generator and erc20-scanner – operate in an analogous fashion, with the former acting as a lure to transmit the mnemonic phrases to the same command-and-control (C2) server.

On the other hand, hashdecrypts functions a little differently in that it’s not conceived to work as a pair and contains within itself near-identical code to harvest the data.

The package, per the software supply chain security firm, includes references to a GitHub profile named “HashSnake,” which features a repository called hCrypto that’s advertised as a way to extract mnemonic phrases from crypto wallets using the package hashdecrypts.

A closer examination of the repository’s commit history reveals that the campaign has been underway for over a year based on the fact that one of the Python scripts previously imported the hashdecrypt (without the “s”) package instead of hashdecrypts until March 1, 2024, the same date hashdecrypts was uploaded to PyPI.

It’s worth pointing out that the threat actors behind the HashSnake account also have a presence on Telegram and YouTube to advertise their warez. This includes releasing a video on September 7, 2022, showcasing a crypto logs checker tool dubbed xMultiChecker 2.0.

“The content of each of the discovered packages was carefully crafted to make them look less suspicious,” Zanki said.

“They were laser focused on compromising crypto wallets and stealing the crypto currencies they contained. That absence of a broader agenda and ambitions made it less likely this campaign would trip up security and monitoring tools deployed within compromised organizations.”

The findings once again underscore the security threats that lurk within open-source package repositories, which is exacerbated by the fact that legitimate services like GitHub are used as a conduit to distribute malware.

Furthermore, abandoned projects are becoming an attractive vector for threat actors to seize control of the developer accounts and publish trojanized versions that could then pave the way for large-scale supply chain attacks.

“Abandoned digital assets are not relics of the past; they are ticking time bombs and attackers have been increasingly taking advantage of them, transforming them into trojan horses within the open-source ecosystems,” Checkmarx noted last month.

“MavenGate and CocoaPods case studies highlight how abandoned domains and subdomains could be hijacked to mislead users and spread malicious intent.”

Mar 06, 2024NewsroomServer Security / Cryptocurrency

Threat actors are targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services as part of an emerging malware campaign designed to deliver a cryptocurrency miner and spawn a reverse shell for persistent remote access.

“The attackers leverage these tools to issue exploit code, taking advantage of common misconfigurations and exploiting an N-day vulnerability, to conduct Remote Code Execution (RCE) attacks and infect new hosts,” Cado security researcher Matt Muir said in a report shared with The Hacker News.

The activity has been codenamed Spinning YARN by the cloud security company, with overlaps to cloud attacks attributed to TeamTNT, WatchDog, and a cluster dubbed Kiss-a-dog.

It all starts with deploying four novel Golang payloads that are capable of automating the identification and exploitation of susceptible Confluence, Docker, Hadoop YARN, and Redis hosts. The spreader utilities leverage masscan or pnscan to hunt for these services.

“For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host,” Muir explained.

The initial access then paves the way for the deployment of additional tools to install rootkits like libprocesshider and diamorphine to conceal malicious processes, drop the Platypus open-source reverse shell utility, and ultimately launch the XMRig miner.

“It’s clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments,” the company said.

The development comes as Uptycs revealed 8220 Gang’s exploitation of known security flaws in Apache Log4j (CVE-2021-44228) and Atlassian Confluence Server and Data Center (CVE-2022-26134) as part of a wave of assaults targeting cloud infrastructure from May 2023 through February 2024.

“By leveraging internet scans for vulnerable applications, the group identifies potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access,” security researchers Tejaswini Sandapolla and Shilpesh Trivedi said.

“Once inside, they deploy a series of advanced evasion techniques, demonstrating a profound understanding of how to navigate and manipulate cloud environments to their advantage. This includes disabling security enforcement, modifying firewall rules, and removing cloud security services, thereby ensuring their malicious activities remain undetected.”

The attacks, which single out both Windows and Linux hosts, aim to deploy a cryptocurrency miner, but not before taking a series of steps that prioritize stealth and evasion.

It also follows the abuse of cloud services primarily meant for artificial intelligence (AI) solutions to drop cryptocurrency miners as well as host malware.

“With both mining and AI requiring access to large amounts of GPU processing power, there’s a certain degree of transferability to their base hardware environments,” HiddenLayer noted last year.

Cado, in its H2 2023 Cloud Threat Findings Report, noted that threat actors are increasingly targeting cloud services that require specialist technical knowledge to exploit, and that cryptojacking is no longer the only motive.

“With the discovery of new Linux variants of ransomware families, such as Abyss Locker, there is a worrying trend of ransomware on Linux and ESXi systems,” it said. “Cloud and Linux infrastructure is now subject to a broader variety of attacks.”

Feb 06, 2024NewsroomSocial Engineering / Malvertising

Threat actors are leveraging bogus Facebook job advertisements as a lure to trick prospective targets into installing a new Windows-based stealer malware codenamed Ov3r_Stealer.

“This malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors,” Trustwave SpiderLabs said in a report shared with The Hacker News.

Ov3r_Stealer is capable of siphoning IP address-based location, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products installed on the compromised host.

While the exact end goal of the campaign is unknown, it’s likely that the stolen information is offered for sale to other threat actors. Another possibility is that Ov3r_Stealer could be updated over time to act as a QakBot-like loader for additional payloads, including ransomware.

The starting point of the attack is a weaponized PDF file that purports to be a file hosted on OneDrive, urging users to click on an “Access Document” button embedded into it.

Trustwave said it identified the PDF file being shared on a fake Facebook account impersonating Amazon CEO Andy Jassy as well as via Facebook ads for digital advertising jobs.

Users who end up clicking on the button are served an internet shortcut (.URL) file that masquerades as a DocuSign document hosted on Discord’s content delivery network (CDN). The shortcut file then acts as a conduit to deliver a control panel item (.CPL) file, which is then executed using the Windows Control Panel process binary (“control.exe“).

The execution of the CPL file leads to the retrieval of a PowerShell loader (“DATA1.txt”) from a GitHub repository to ultimately launch Ov3r_Stealer.

It’s worth noting at this stage that a near-identical infection chain was recently disclosed by Trend Micro as having put to use by threat actors to drop another stealer called Phemedrone Stealer by exploiting the Microsoft Windows Defender SmartScreen bypass flaw (CVE-2023-36025, CVSS score: 8.8).

The similarities extend to the GitHub repository used (nateeintanan2527) and the fact that Ov3r_Stealer shares code-level overlaps with Phemedrone.

“This malware has recently been reported, and it may be that Phemedrone was re-purposed and renamed to Ov3r_Stealer,” Trustwave said. “The main difference between the two is that Phemedrone is written in C#.”

The findings come as Hudson Rock revealed that threat actors are advertising their access to law enforcement request portals of major organizations like Binance, Google, Meta, and TikTok by exploiting credentials obtained from infostealer infections.

They also follow the emergence of a category of infections called CrackedCantil that take leverage cracked software as an initial access vector to drop loaders like PrivateLoader and SmokeLoader, when subsequently act as a delivery mechanism for information stealers, crypto miners, proxy botnets, and ransomware.

Feb 05, 2024NewsroomCryptocurrency / Financial Fraud

A 42-year-old Belarusian and Cypriot national with alleged connections to the now-defunct cryptocurrency exchange BTC-e is facing charges related to money laundering and operating an unlicensed money services business.

Aliaksandr Klimenka, who was arrested in Latvia on December 21, 2023, was extradited to the U.S. If convicted, he faces a maximum penalty of 25 years in prison.

BTC-e, which had been operating since 2011, was seized by law enforcement authorities in late July 2017 following the arrest of another key member Alexander Vinnik, in Greece.

The exchange is alleged to have received deposits valued at over $4 billion, with Vinnik laundering funds received from the hack of another digital exchange, Mt. Gox, through various online exchanges, including BTC-e.

Court documents allege that the exchange was a “significant cybercrime and online money laundering entity,” allowing its users to trade in bitcoin with high levels of anonymity, thereby building a customer base that engaged in criminal activity.

This included hacking incidents, ransomware scams, identity theft schemes, and narcotics distribution rings.

“BTC-e’s servers, maintained in the United States, were allegedly one of the primary ways in which BTC-e and its operators effectuated their scheme,” the U.S. Department of Justice (DoJ) said.

These servers were leased to and maintained by Klimenka and Soft-FX, a technology services company controlled by the defendant.

BTC-e has also been accused of failing to establish an anti-money laundering process or know-your-customer (KYC) verification in accordance with U.S. federal laws.

In June 2023, two Russian nationals – Alexey Bilyuchenko and Aleksandr Verner – were charged for their roles in masterminding the 2014 digital heist of Mt. Gox.

News of Klimenka’s indictment comes as the DoJ charged Noah Michael Urban, 19, of Palm Coast, Florida, with wire fraud and aggravated identity theft for offenses that led to the theft of $800,000 from at least five different victims between August 2022 and March 2023.

Urban, who went by the aliases Sosa, Elijah, King Bob, Anthony Ramirez, and Gustavo Fring, is said to be a key member of the cybercrime group known as Scattered Spider, according to KrebsOnSecurity, as well as a “top member” of a broader cybercrime ecosystem that calls itself The Com.

It also follows the Justice Department’s announcement of charges against three individuals, Robert Powell, Carter Rohn, and Emily Hernandez, in relation to a SIM swapping attack aimed at crypto exchange FTX to steal more than $400 million at the time of its collapse in 2022.

Powell (aka R, R$, and ElSwapo1), Rohn (aka Carti and Punslayer), and Hernandez (aka Em) are accused of running a massive cybercriminal theft ring dubbed the Powell SIM Swapping Crew that orchestrated SIM swapping attacks between March 2021 and April 2023 and stole hundreds of millions of dollars from victims’ accounts.

Blockchain analytics firm Elliptic, in October 2023, said the plunder assets had been laundered through cross-chain crime in collaboration with Russia-nexus intermediaries in an attempt to obscure the trail.

Feb 01, 2024NewsroomCryptocurrency / Botnet

Cybersecurity researchers have detailed an updated version of the malware HeadCrab that’s known to target Redis database servers across the world since early September 2021.

The development, which comes exactly a year after the malware was first publicly disclosed by Aqua, is a sign that the financially-motivated threat actor behind the campaign is actively adapting and refining their tactics and techniques to stay ahead of the detection curve.

The cloud security firm said that “the campaign has almost doubled the number of infected Redis servers,” with an additional 1,100 compromised servers, up from 1,200 reported at the start of 2023.

HeadCrab is designed to infiltrate internet-exposed Redis servers and wrangle them into a botnet for illicitly mining cryptocurrency, while also leveraging the access in a manner that allows the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data to a remote server.

While the origins of the threat actor are presently not known, they make it a point to note in a “mini blog” embedded into the malware that the mining activity is “legal in my country” and that they do it because “it almost doesn’t harm human life and feelings (if done right).”

The operator, however, acknowledges that it’s a “parasitic and inefficient way” of making money, adding their aim is to make $15,000 per year.

“An integral aspect of the sophistication of HeadCrab 2.0 lies in its advanced evasion techniques,” Aqua researchers Asaf Eitani and Nitzan Yaakov said. “In contrast to its predecessor (named HeadCrab 1.0), this new version employs a fileless loader mechanism, demonstrating the attacker’s commitment to stealth and persistence.”

It’s worth noting that the previous iteration utilized the SLAVEOF command to download and save the HeadCrab malware file to disk, thereby leaving artifact traces on the file system.

HeadCrab 2.0, on the other hand, receives the malware’s content over the Redis communication channel and stores it in a fileless location in a bid to minimize the forensic trail and make it much more challenging to detect.

Also changed in the new variant is the use of the Redis MGET command for command-and-control (C2) communications for added covertness.

“By hooking into this standard command, the malware gains the ability to control it during specific attacker-initiated requests,” the researchers said.

“Those requests are achieved by sending a special string as an argument to the MGET command. When this specific string is detected, the malware recognizes the command as originating from the attacker, triggering the malicious C2 communication.”

Describing HeadCrab 2.0 as an escalation in the sophistication of Redis malware, Aqua said its ability to masquerade its malicious activities under the guise of legitimate commands poses new problems for detection.

“This evolution underscores the necessity for continuous research and development in security tools and practices,” the researchers concluded. “The engagement by the attacker and the subsequent evolution of the malware highlights the critical need for vigilant monitoring and intelligence gathering.”

Jan 23, 2024NewsroomMalware / Cryptocurrency

Cracked software have been observed infecting Apple macOS users with a previously undocumented stealer malware capable of harvesting system information and cryptocurrency wallet data.

Kaspersky, which identified the artifacts in the wild, said they are designed to target machines running macOS Ventura 13.6 and later, indicating the malware’s ability to infect Macs on both Intel and Apple silicon processor architectures.

The attack chains leverage booby-trapped disk image (DMG) files that include a program named “Activator” and a pirated version of legitimate software such as xScope.

Users who end up opening the DMG files are urged to move both files to the Applications folder and run the Activator component to apply a supposed patch and run the xScope app.

Launching Activator, however, displays a prompt asking the victim to enter the system administrator password, thereby allowing it to execute a Mach-O binary with elevated permissions in order to launch the modified xScope executable.

“The trick was that the malicious actors had taken pre-cracked application versions and added a few bytes to the beginning of the executable, thus disabling it to make the user launch Activator,” security researcher Sergey Puzan said.

The next stage entails establishing contact with a command-and-control (C2) server to fetch an encrypted script. The C2 URL, for its part, is constructed by combining words from two hard-coded lists and adding a random sequence of five letters as a third-level domain name.

A DNS request for this domain is then sent to retrieve three DNS TXT records, each containing a Base64-encoded ciphertext fragment that is decrypted and assembled to construct a Python script, which, in turn, establishes persistence and functions as a downloader by reaching out to “apple-health[.]org” every 30 seconds to download and execute the main payload.

“This was a fairly interesting and unusual way of contacting a command-and-control server and hiding activity inside traffic, and it guaranteed downloading the payload, as the response message came from the DNS server,” Puzan explained, describing it as “seriously ingenious.”

The backdoor, actively maintained and updated by the threat actor, is designed to run received commands, gather system metadata, and check for the presence of Exodus and Bitcoin Core wallets on the infected host.

If found, the applications are replaced by trojanized versions downloaded from the domain “apple-analyser[.]com” that are equipped to exfiltrate the seed phrase, wallet unlock password, name, and balance to an actor-controlled server.

“The final payload was a backdoor that could run any scripts with administrator privileges, and replace Bitcoin Core and Exodus crypto wallet applications installed on the machine with infected versions that stole secret recovery phrases the moment the wallet was unlocked,” Puzan said.

The development comes as cracked software is increasingly becoming a conduit to compromise macOS users with a variety of malware, including Trojan-Proxy and ZuRu.

Jan 18, 2024NewsroomServer Security / Cryptocurrency

Vulnerable Docker services are being targeted by a novel campaign in which the threat actors are deploying XMRig cryptocurrency miner as well as the 9Hits Viewer software as part of a multi-pronged monetization strategy.

“This is the first documented case of malware deploying the 9Hits application as a payload,” cloud security firm Cado said, adding the development is a sign that adversaries are always on the lookout for diversifying their strategies to make money off compromised hosts.

9Hits advertises itself as a “unique web traffic solution” and an “automatic traffic exchange” that allows members of the service to drive traffic to their sites in exchange for purchasing credits.

This is accomplished by means of a software called 9Hits Viewer, which runs a headless Chrome browser instance to visit websites requested by other members, for which they earn credits to pay for generating traffic to their sites.

The exact method used to spread the malware to vulnerable Docker hosts is currently unclear, but it’s suspected to involve the use of search engines like Shodan to scan for prospective targets.

The servers are then breached to deploy two malicious containers via the Docker API and fetch off-the-shelf images from the Docker Hub library for the 9Hits and XMRig software.

“This is a common attack vector for campaigns targeting Docker, where instead of fetching a bespoke image for their purposes they pull a generic image off Dockerhub (which will almost always be accessible) and leverage it for their needs,” security researcher Nate Bill said.

The 9Hits container is then used to execute code to generate credits for the attacker by authenticating with 9Hits using their session token and extracting the list of sites to visit.

The threat actors have also configured the scheme to allow visiting adult sites or sites that show popups, but prevent it from visiting cryptocurrency-related sites.

The other container is used to run an XMRig miner that connects to a private mining pool, making it impossible to determine the campaign’s scale and profitability.

“The main impact of this campaign on compromised hosts is resource exhaustion, as the XMRig miner will use all available CPU resources it can while 9hits will use a large amount of bandwidth, memory, and what little CPU is left,” Bill said.

“The result of this is that legitimate workloads on infected servers will be unable to perform as expected. In addition, the campaign could be updated to leave a remote shell on the system, potentially causing a more serious breach.”

Jan 10, 2024NewsroomServer Security / Cryptocurrency

A new Mirai-based botnet called NoaBot is being used by threat actors as part of a crypto mining campaign since the beginning of 2023.

“The capabilities of the new botnet, NoaBot, include a wormable self-spreader and an SSH key backdoor to download and execute additional binaries or spread itself to new victims,” Akamai security researcher Stiv Kupchik said in a report shared with The Hacker News.

Mirai, which had its source code leaked in 2016, has been the progenitor of a number of botnets, the most recent being InfectedSlurs, which is capable of mounting distributed denial-of-service (DDoS) attacks.

There are indications that NoaBot could be linked to another botnet campaign involving a Rust-based malware family known as P2PInfect, which recently received an update to target routers and IoT devices.

This is based on the fact that threat actors have also experimented with dropping P2PInfect in place of NoaBot in recent attacks targeting SSH servers, indicating likely attempts to pivot to custom malware.

Despite NaoBot’s Mirai foundations, its spreader module leverages an SSH scanner to search for servers susceptible to dictionary attack in order to brute-force them and add an SSH public key in the .ssh/authorized_keys file for remote access. Optionally, it can also download and execute additional binaries post successful exploitation or propagate itself to new victims.

“NoaBot is compiled with uClibc, which seems to change how antivirus engines detect the malware,” Kupchik noted. “While other Mirai variants are usually detected with a Mirai signature, NoaBot’s antivirus signatures are of an SSH scanner or a generic trojan.”

Besides incorporating obfuscation tactics to render analysis challenging, the attack chain ultimately results in the deployment of a modified version of the XMRig coin miner.

What makes the new variant a cut above other similar Mirai botnet-based campaigns is that it does not contain any information about the mining pool or the wallet address, thereby making it impossible to assess the profitability of the illicit cryptocurrency mining scheme.

“The miner obfuscates its configuration and also uses a custom mining pool to avoid exposing the wallet address used by the miner,” Kupchik said, highlighting some level of preparedness of the threat actors.

Akamai said it identified 849 victim IP addresses to date that are spread geographically across the world, with high concentrations reported in China, so much so that it amounts to almost 10% of all attacks against its honeypots in 2023.

“The malware’s method of lateral movement is via plain old SSH credentials dictionary attacks,” Kupchik said. “Restricting arbitrary internet SSH access to your network greatly diminishes the risks of infection. In addition, using strong (not default or randomly generated) passwords also makes your network more secure, as the malware uses a basic list of guessable passwords.”