197/68 Friday, May 30, 2025
Cybersecurity firm Darktrace has discovered a new botnet dubbed “PumaBot”, which is actively targeting Internet of Things (IoT) devices running on Linux. Unlike traditional widespread scans, PumaBot uses SSH brute-force attacks to compromise devices and expand its botnet network. It pulls a curated list of IP addresses from an external server (ssh.ddos-cc[.]org) rather than randomly scanning the internet, reducing the likelihood of early detection.
Before launching an attack, PumaBot performs reconnaissance to avoid honeypots. For instance, it checks for the presence of the string “Pumatronix”, a known manufacturer of traffic cameras and detection systems, to evade decoys. Once a system is compromised, the malware embeds itself using fake filenames that mimic legitimate system files (e.g., /lib/redis) and registers fake systemd services like redis.service or mysqI.service to ensure persistence across reboots while remaining stealthy. PumaBot also initiates cryptocurrency mining using commands such as xmrig and networkxm, hijacking system resources without authorization.
Further analysis revealed that PumaBot’s infrastructure uses a combination of tools, including the “ddaemon” backdoor to download additional payloads, “networkxm” for SSH brute-forcing, and a malicious rootkit named “pam_unix.so” to steal login credentials and exfiltrate them to the command-and-control (C2) server. Security experts advise system administrators to closely monitor failed SSH login attempts, routinely check systemd services, inspect authorized_keys files, and configure firewalls with strict rules. They also recommend filtering anomalous HTTP requests, such as those containing suspicious X-API-KEY headers, to prevent infections from this evolving threat.
Source https://thehackernews.com/2025/05/new-pumabot-botnet-targets-linux-iot.html
