In the last few days several systems Linux scattered all over the world have had to deal with a previously unknown self-replicating malware.
We’re talking about a wormwhich works in the context of criptomining and who uses unusual techniques to hide their activities. According to the analysis of cybersecurity experts, it is a customized version of the Mirai botnet, capable of infecting devices IoT (server, webcam, router and many others) that use Linux as their operating system.
Mirai is a well-known name among those involved in cybersecurity. It is a malicious agent active since 2016, widely exploited for attacks DDoS attacks. The source code of this malware has, over the years, provided material for cybercriminals to work with, who have created several derivative variants and malicious agents, including the one just discovered.
The worm is a derivative of Mirai, but does not target DDoS attacks
The new worm, it seems, is being used to infect more and more devices and power a new network exploited by cybercriminals, i.e. NoaBot.
Instead of targeting devices with password Telnet weak, NoaBot targets passwords related to SSH connections. Not only that: as observed by Akamai experts, instead of carrying out classic DDoS attacks, the new botnet installs security software cryptocurrency miningwhich allows attackers to generate crypto using hardware, electric energy and the bandwidth of the victims.
The Mirai derivative, in fact, works by installing a cryptomineritself a modified version of XMRig. According to the data collected, the attacks recorded so far originated from 849 IP addressesalmost all of which are likely related to an infected device.
Malware cases linked to the IoT context are an increasingly concrete reality. In this sense, the main prevention method consists in changing any passwords proposed by default by the devices, replacing them with strong passwords.