NoaBot - a New Malware Based on Mirai Code

A recently emerged botnet named NoaBot, which is based on Mirai, has been employed by threat actors in a crypto mining campaign since the beginning of 2023. According to a report from security researcher Stiv Kupchik, NoaBot boasts features such as a self-spreading worm and an SSH key backdoor, enabling the download and execution of additional binaries or the propagation to new victims.

Mirai, whose source code was leaked in 2016, has given rise to various botnets, with the latest being InfectedSlurs, capable of launching distributed denial-of-service (DDoS) attacks. There are indications that NoaBot may have connections to another botnet campaign involving a Rust-based malware family known as P2PInfect, recently updated to target routers and IoT devices.

NoaBot Relies on SSH Scanner to Look for Vulnerabilities

Evidence suggests that threat actors have experimented with substituting P2PInfect for NoaBot in recent attacks on SSH servers, hinting at potential efforts to transition to custom malware. Despite NoaBot's Mirai foundation, its spreader module employs an SSH scanner to identify servers vulnerable to dictionary attacks, allowing it to brute-force and add an SSH public key for remote access. Optionally, it can download and execute additional binaries after successful exploitation or spread to new victims.

Notably, NoaBot stands out from other Mirai botnet-based campaigns because its variant lacks information about the mining pool or wallet address, making it challenging to assess the profitability of the illicit cryptocurrency mining scheme. Researchers have identified 849 victim IP addresses, geographically dispersed worldwide, with a significant concentration in China, accounting for nearly 10% of all attacks against its honeypots in 2023.