Novel PumaBot slips into IoT surveillance with stealthy SSH break-ins

Security researchers are warning about a novel Linux botnet, dubbed PumaBot, targeting Internet of Things (IOT) surveillance devices.

According to a DarkTrace observation, the botnet >bypasses the usual playbook of conducting internet-wide scanning and instead brute-forces secure shell (SSH) credentials for a list of targets it receives from a command and control (C2) server.

“DarkTrace researchers have identified a custom Go-based Linux botnet targeting embedded Linux Internet of Things (IoT) devices,” researchers said in a blog post. “The botnet gains initial access through brute-forcing SSH credentials across a list of harvested IP addresses.”

By focusing on IoT surveillance devices, such as IP cameras and network video recorders, the botnet is exploiting equipment that is typically outside the scope of rigorous security measures.

Targeted infiltration via C2 coordination

PumaBot connects to a designated C2 server to obtain a curated list of IP addresses with open SSH ports. Using these lists, it attempts to brute-force SSH credentials to infiltrate devices, a technique that helps it reduce the likelihood of detection by traditional security measures that look for the noise from an internet-wide scan.

For the campaign, PumaBot uses a malware identified by the filename jierui that initiates the operation by invoking the getIPs() function to receive the IP list from the C2 server (ssh.ddos-cc[.]org). “It then performs brute-force login attempts on port 22 using credential pairs also obtained from the C2 through the readLinesFromURL(), brute(), and trySSHLogin() functions,” researchers said. Port 22 is the default network port used by the SSH protocol.

Inside its trySSHLogin() routine, the malware runs a series of environment fingerprinting checks to dodge honeypots and restricted shells. Additionally, it looks for the string “Pumatronix”– which probably inspired PumaBot’s naming–, a surveillance and traffic camera systems manufacturer.

Executing remote commands for persistence

After cracking a working username and password combo from its list of harvested IPs, the botnet receives remote commands and sets up persistence through system service files.

The malware takes advantage of the shell access to execute a series of commands pulled from its C2 server. These commands include system information commands like “uname-a” that retrieve the OS name, kernel version, and architecture. Others include the ones issued to modify system files, like the systemd service, to gain persistence within the compromised system.

“The malware also adds its own SSH keys into the users’ authorized_keys file. This ensures that access can be maintained, even if the service is removed,” researchers said.

Potential targets must tighten IoT routines

Targeted devices, if compromised, can serve as entry points for broader network infiltration or for larger botnet operations for activities like distributed denial of service (DDoS) attacks. Vulnerable organizations include those using IoT surveillance devices with poor SSH hygiene, and Industrial and Public sector systems.

DarkTrace recommended actions to defend against such compromises include monitoring for anomalous SSH login activity, auditing systemd services regularly, inspecting authorized_keys files across user accounts, and applying stricter firewall rules for limiting SSH exposure. Additionally, researchers shared a list of indicators of compromise (IoT) for security teams to set detections for. The list includes hashes, RSA keys, URLs, and detection rules.