PumaBot Botnet
A newly discovered Linux botnet, dubbed PumaBot, is wreaking havoc across embedded IoT devices. Written in Go, this malware uses brute-force methods to crack SSH credentials, deploying malicious payloads once access is gained. Unlike traditional botnets that scan the internet indiscriminately, PumaBot zeroes in on specific IP addresses fetched directly from its Command-and-Control (C2) server.
Table of Contents
Precision Targeting: A Tactical Shift in IoT Exploitation
PumaBot distinguishes itself by pulling curated IP target lists from its C2 server (ssh.ddos-cc.org), allowing it to conduct highly focused attacks. This approach avoids broad internet scans and suggests an intent to compromise specific organizations or devices. It even inspects devices for a 'Pumatronix' string — a clue that may point to the targeting of surveillance and traffic camera systems produced by this vendor.
From Recon to Root: PumaBot’s Attack Lifecycle
Once a device is chosen, PumaBot performs brute-force SSH login attempts on port 22. If successful, it runs 'uname -a' to gather system information and verify the device isn't a honeypot. After this verification, the botnet:
- Writes its main binary (jierui) to /lib/redis
- Installs a persistent systemd service (redis.service)
- Injects its own SSH key into authorized_keys for long-term access, even after system cleanups
Beyond Infection: Command Execution and Data Theft
With access secured, PumaBot can execute further commands, including:
- Deploying new payloads
- Exfiltrating sensitive data
- Facilitating lateral movement within networks
- Detected payloads include:
- Self-updating scripts
- PAM rootkits that replace pam_unix.so
- A daemon binary (named 1) acting as a file watcher
The malicious PAM module logs SSH credentials and stores them in con.txt. The 1 binary monitors for this file and, once found, exfiltrates it to the C2 server before wiping it from the infected system — a calculated move to cover its tracks.
Unknown Scope, High Stakes: PumaBot’s Silent Expansion
Researchers have not yet determined the scale or success rate of PumaBot's campaign. The extent of the target IP lists remains unclear. However, the botnet's focus on deeper network infiltration, rather than low-grade activities like DDoS attacks, suggests it poses a significant threat to corporate and critical infrastructure.
Stay Ahead: Defending Against PumaBot and Its Kind
To reduce the risk of compromise by PumaBot or similar threats:
- Update firmware on all IoT devices
- Change default credentials
- Deploy firewalls and restrict SSH access
- Isolate IoT devices on segmented networks
Proactive security practices are essential to keep botnet actors at bay and protect enterprise networks from deeper breaches.
