A well-designed operation is using a version of the infamous Mirai malware to secretly distribute cryptocurrency mining software, researchers said Wednesday.
Calling it NoaBot, researchers at Akamai said the campaign has been active for about a year, and it has various quirks that complicate analysis of the malware and point to highly-skilled threat actors.
The NoaBot botnet spreads over the Linux SSH protocol, which provides secure remote access to a computer or server over a network.
As part of the attack, the malware installs a modified version of the XMRig miner on infected devices.
The Akamai researchers said that the details get fuzzier from there.
The hackers take great care to hide the wallet address where the cryptominer sends mined coins.
Other aspects of the campaign are difficult to size up.
NoaBot does appear to have links to P2PInfect, a worm first identified in July 2023.
The most recent incidents spotted by Akamai used that malware instead of the original Mirai-based code.
Mirai variants proliferated after its original U.S.-based creators published the source code in 2016.
Originally used for distributed denial-of-service attacks, Mirai eventually became a tool for other malicious activities.
The Akamai researchers said they hope their discoveries will be useful the next time the operation pops up.
UK government accused of being misleading over new laws affecting encryption.
Joe Warminsky is the news editor for Recorded Future News.
He has more than 25 years experience as an editor and writer in the Washington, D.C., area.
Most recently he helped lead CyberScoop for more than five years.
Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.
This Cyber News was published on therecord.media. Publication date: Wed, 10 Jan 2024 16:31:13 +0000