{"id":3381,"date":"2025-05-30T10:02:07","date_gmt":"2025-05-30T10:02:07","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3381"},"modified":"2025-05-30T10:02:07","modified_gmt":"2025-05-30T10:02:07","slug":"novel-pumabot-slips-into-iot-surveillance-with-stealthy-ssh-break-ins","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3381","title":{"rendered":"Novel PumaBot slips into IoT surveillance with stealthy SSH break-ins"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Security researchers are warning about a novel Linux botnet, dubbed PumaBot, targeting Internet of Things (IOT) surveillance devices.<\/p>\n<p>According to a DarkTrace observation, the botnet &gt;bypasses the usual playbook of conducting internet-wide scanning and instead\u00a0brute-forces secure shell (SSH) credentials for a list of targets it receives from a command and control (C2) server.<\/p>\n<p>\u201cDarkTrace researchers have identified a custom Go-based Linux botnet targeting embedded Linux Internet of Things (IoT) devices,\u201d researchers said in a blog post. \u201cThe botnet gains initial access through brute-forcing SSH credentials across a list of harvested IP addresses.\u201d<\/p>\n<p>By focusing on IoT surveillance devices, such as IP cameras and network video recorders, the botnet is exploiting equipment that is typically outside the scope of rigorous security measures.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Targeted infiltration via C2 coordination<\/strong><\/h2>\n<p>PumaBot connects to a designated C2 server to obtain a curated list of IP addresses with open SSH ports. Using these lists, it attempts to brute-force SSH credentials to infiltrate devices, a technique that helps it reduce the likelihood of detection by traditional security measures that look for the noise from an internet-wide scan.<\/p>\n<p>For the campaign, PumaBot uses a malware identified by the filename jierui that initiates the operation by invoking the getIPs() function to receive the IP list from the C2 server (ssh.ddos-cc[.]org). \u201cIt then performs brute-force login attempts on port 22 using credential pairs also obtained from the C2 through the readLinesFromURL(), brute(), and trySSHLogin() functions,\u201d researchers said. Port 22 is the default <a href=\"https:\/\/www.csoonline.com\/article\/561301\/securing-risky-network-ports.html\">network port<\/a> used by the SSH protocol.<\/p>\n<p>Inside its trySSHLogin() routine, the malware runs a series of environment fingerprinting checks to dodge honeypots and restricted shells. Additionally, it looks for the string \u201cPumatronix\u201d\u2013 which probably inspired PumaBot\u2019s naming\u2013, a surveillance and traffic camera systems manufacturer.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Executing remote commands for persistence<\/strong><\/h2>\n<p>After cracking a working username and password combo from its list of harvested IPs, the botnet receives remote commands and sets up persistence through system service files.<\/p>\n<p>The malware takes advantage of the shell access to execute a series of commands pulled from its C2 server. These commands include system information commands like \u201cuname-a\u201d that retrieve the OS name, kernel version, and architecture. Others include the ones issued to modify system files, like the systemd service, to gain persistence within the compromised system.<\/p>\n<p>\u201cThe malware also adds its own SSH keys into the users\u2019 authorized_keys file. This ensures that access can be maintained, even if the service is removed,\u201d researchers <a href=\"https:\/\/www.darktrace.com\/blog\/pumabot-novel-botnet-targeting-iot-surveillance-devices\" target=\"_blank\" rel=\"noopener\">said<\/a>.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Potential targets must tighten IoT routines<\/strong><\/h2>\n<p>Targeted devices, if compromised, can serve as entry points for broader network infiltration or for <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/a\/iot-botnet-linked-to-ddos-attacks.html\">larger botnet operations<\/a> for activities like distributed denial of service (<a href=\"https:\/\/www.csoonline.com\/article\/571981\/ddos-attacks-definition-examples-and-techniques.html\">DDoS<\/a>) attacks. Vulnerable organizations include those using IoT surveillance devices with poor SSH hygiene, and Industrial and Public sector systems.<\/p>\n<p>DarkTrace recommended actions to defend against such compromises include monitoring for anomalous SSH login activity, auditing systemd services regularly, inspecting authorized_keys files across user accounts, and applying stricter firewall rules for limiting SSH exposure. Additionally, researchers shared a list of indicators of compromise (IoT) for security teams to set detections for. The list includes hashes, RSA keys, URLs, and detection rules.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Security researchers are warning about a novel Linux botnet, dubbed PumaBot, targeting Internet of Things (IOT) surveillance devices. According to a DarkTrace observation, the botnet &gt;bypasses the usual playbook of conducting internet-wide scanning and instead\u00a0brute-forces secure shell (SSH) credentials for a list of targets it receives from a command and control (C2) server. \u201cDarkTrace researchers [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3382,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3381","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3381"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3381"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3381\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3382"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3381"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3381"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3381"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}