Noabot

NoaBot is a sophisticated malware variant that primarily targets Linux systems, utilizing a cryptominer to exploit system resources. It is based on the Mirai botnet, a notorious malware strain known for its ability to compromise Internet of Things (IoT) devices. NoaBot has most of the capabilities of the original Mirai botnet, including a scanner module and an attacker module, and the ability to conceal its process name. However, a key difference lies in the method of spreading; NoaBot uses SSH-based spreaders as opposed to the Telnet-based spreaders used by Mirai. This shift enhances NoaBot's effectiveness, as it also employs a different credential dictionary for its SSH scanner, introducing post-breach capabilities such as installing a new SSH-authorized key as a backdoor. The infiltration of NoaBot predominantly occurs through two main channels: HTTP/S transfers and email attachments. The SafeBreach reports #9462 and #9461 document the transfer of NoaBot miner over HTTP/S, indicating both initial infiltration and lateral movement within networks. Additionally, reports #9464 and #9463 detail how NoaBot can be sent as a compressed attachment via email, serving as another infiltration method and a means for lateral movement across systems. NoaBot's advanced capabilities and versatile attack vectors pose a significant threat to Linux systems. Its ability to download and execute additional binaries or propagate itself to new victims amplifies its potential damage. Organizations are advised to maintain robust security measures, including up-to-date antivirus software, regular system patching, and employee training to recognize suspicious downloads, emails, or websites.