Cybersecurity researchers at Darktrace have uncovered a sophisticated new malware strain called PumaBot, written in the Go programming language, that specifically targets Linux-based IoT devices. This discovery represents a significant evolution in targeted malware campaigns, particularly concerning its advanced SSH brute-forcing capabilities and sophisticated persistence mechanisms.
Advanced Targeting and Attack Methodology
Unlike conventional botnet malware, PumaBot employs a highly selective approach to target acquisition. The malware receives specific IP address lists from its command and control (C2) server through the domain ssh.ddos-cc[.]org, subsequently launching precise SSH brute-force attacks against port 22 of selected targets. A notable characteristic of the malware is its specific search for “Pumatronix” strings within compromised systems, suggesting a targeted campaign against surveillance equipment and traffic cameras manufactured by this vendor.
Sophisticated System Persistence Techniques
Upon successful infiltration, PumaBot implements a multi-stage persistence strategy that demonstrates considerable technical sophistication. The malware first performs environment validation using uname -a commands to detect potential honeypots. It then establishes persistence by disguising its primary executable as a legitimate Redis component within the /lib/redis directory and creates systemd services masquerading as either redis.service or mysqI.service.
Malicious Component Analysis
Security analysis has revealed several sophisticated modules within PumaBot’s architecture:
– Self-updating scripts ensuring malware remains current
– Advanced PAM rootkits that replace the system’s pam_unix.so file
– Credential-stealing daemons with sophisticated exfiltration capabilities
– Cryptocurrency mining modules (including xmrig and networkxm implementations)
Credential Theft and Data Exfiltration
The malware’s modified PAM module represents a particularly sophisticated threat, capturing both local and remote SSH credentials and storing them in a con.txt file. A dedicated daemon component manages the exfiltration of stolen credentials to the C2 server, followed by comprehensive cleanup procedures to eliminate evidence of compromise.
While the current C2 infrastructure remains inaccessible, hampering full threat assessment, the presence of cryptocurrency mining capabilities suggests potential financial motivations behind the campaign. Security professionals recommend implementing robust SSH access controls, including multi-factor authentication, regular system process monitoring, and deployment of advanced intrusion detection systems. Organizations should also conduct regular security audits focusing on IoT device configurations and implement network segmentation to isolate potentially vulnerable devices.