Go-Based Botnet Attacking IoT Devices
Using an SSH credential brute-force attack, the Go-based PumaBot is exploiting IoT devices everywhere.
Darktrace has discovered a new Go-based botnet, named PumaBot, that is targeting Internet of Things (IoT) devices and avoiding scanning by using a C2 server to acquire targets and then use brute-force attacks to grab SSH credentials.
PumaBot retrieves a list of targets from a command-and-control server and then establishes persistence, using system service files.
After harvesting a list of IP addresses for IoT devices with open SSH ports, PumaBot identifies a valid SSH credential pair, logs in, self-deploys, and begins the replication process. PumaBot uses a trySSHLogin() function to perform environment fingerprint checks to avoid getting trapped in honeypots or execution environments (such as restricted shells) that are suitable for its needs. If the environment passes the checks, the malware runs the uname -a command to discover the operating system type, kernel version, and architecture. After that, it disguises itself as a legitimate Redis system file, creates a systemd service, and adds its own SSH keys to the user's authorized_keys file.
PumaBot does not automatically propagate like a traditional worm, but it does present worm-like behavior.
According to Darktrace, it's important to monitor for anomalous SSH login activity, audit systemd services, inspect the authorized_keys file, filter or alert on outbound HTTP requests with nonstandard headers (such as X-API-KEY), and apply strict firewall rules to limit SSH exposure.
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Go-Based Botnet Attacking IoT Devices
Using an SSH credential brute-force attack, the Go-based PumaBot is exploiting IoT devices everywhere.
-
Plasma 6.5 Promises Better Memory Optimization
With the stable Plasma 6.4 on the horizon, KDE has a few new tricks up its sleeve for Plasma 6.5.
-
KaOS 2025.05 Officially Qt5 Free
If you're a fan of independent Linux distributions, the team behind KaOS is proud to announce the latest iteration that includes kernel 6.14 and KDE's Plasma 6.3.5.
-
Linux Kernel 6.15 Now Available
The latest Linux kernel is now available with several new features/improvements and the usual bug fixes.
-
Microsoft Makes Surprising WSL Announcement
In a move that might surprise some users, Microsoft has made Windows Subsystem for Linux open source.
-
Red Hat Releases RHEL 10 Early
Red Hat quietly rolled out the official release of RHEL 10.0 a bit early.
-
openSUSE Joins End of 10
openSUSE has decided to not only join the End of 10 movement but it also will no longer support the Deepin Desktop Environment.
-
New Version of Flatpak Released
Flatpak 1.16.1 is now available as the latest, stable version with various improvements.
-
IBM Announces Powerhouse Linux Server
IBM has unleashed a seriously powerful Linux server with the LinuxONE Emperor 5.
-
Plasma Ends LTS Releases
The KDE Plasma development team is doing away with the LTS releases for a good reason.