A new botnet called NoaBot, based on Mirai, has been utilized by cyber attackers as part of a crypto mining campaign since the beginning of 2023. Mirai, whose source code was leaked in 2016, became the precursor to numerous botnets; the most recent being InfectedSlurs, capable of conducting distributed denial-of-service (DDoS) attacks. There are indications that NoaBot may be linked to another botnet campaign involving a Rust-based malicious software family called P2PInfect, which recently received an update to target routers and IoT devices.
The fact that threat actors have attempted to replace NoaBot with P2PInfect in recent attacks targeting SSH servers suggests a potential shift towards tailored malware. Despite its Mirai foundations, NoaBot’s propagation module leverages an SSH scanner to search for servers vulnerable to dictionary attacks and applies brute force to them, adding an SSH public key to the .ssh/authorized_keys file for remote access. Optionally, it can download and execute additional binary files after a successful exploit or propagate itself to new victims.
