‘Yet another Mirai-based botnet’ is spreading an illicit cryptominer

A well-designed operation is using a version of the infamous Mirai malware to secretly distribute cryptocurrency mining software, researchers said Wednesday.

Calling it NoaBot, researchers at Akamai said the campaign has been active for about a year, and it has various quirks that complicate analysis of the malware and point to highly-skilled threat actors.

The NoaBot botnet spreads over the Linux SSH protocol, which provides secure remote access to a computer or server over a network. As part of the attack, the malware installs a modified version of the XMRig miner on infected devices.

The Akamai researchers said that the details get fuzzier from there. The hackers take great care to hide the wallet address where the cryptominer sends mined coins. And other aspects of the campaign are difficult to size up.

“The malware obfuscation and custom code show a high level of operation security, which usually indicates mature threat actors, but the naming of the malware’s binaries and some its included strings are quite childish,” the researchers said. “This complicates attribution.”

For example, the malware calls one Unix socket “NunzombiE” and also includes lyrics from the pop song “Who's Ready for Tomorrow” by Rat Boy and IBDY.

“As far as we can tell, those lyrics served no purpose. Later samples did not have them,” the researchers said.

NoaBot does appear to have links, though, to P2PInfect, a worm first identified in July 2023. The most recent incidents spotted by Akamai used that malware instead of the original Mirai-based code.

“How do we know that it’s the same threat actors, not just some sort of collaboration? We aren’t 100% certain, but we’re close,” the researchers said. “It all boils down to the technical professionalism in the malware, coupled with a teenager’s maturity level in terms of inside jokes, including inserting profanities in the miner’s name, embedding gaming pop song lyrics in malware binaries, and sending ‘hi’ while scanning for open ports.”

Mirai variants proliferated after its original U.S.-based creators published the source code in 2016. Originally used for distributed denial-of-service (DDoS) attacks, Mirai eventually became a tool for other malicious activities.

In fact, the Akamai researchers said they might have ignored NoaBot — "yet another Mirai-based botnet" — if some of its attributes hadn’t been a bit odd. It helped “that NoaBot samples aren't immediately detected as Mirai,” said Stiv Kupchik, a security researcher at Akamai.

“We usually dismiss Mirai samples because they're so prevalent,” Kupchik said.

The Akamai researchers said they hope their discoveries will be useful the next time the operation pops up.

“On the surface, NoaBot isn’t a very sophisticated campaign — it’s “just” a Mirai variant and an XMRig cryptominer, and they’re a dime a dozen nowadays,” the researchers said. “However, the obfuscations added to the malware and the additions to the original source code paint a vastly different picture of the threat actors’ capabilities.”

Jonathan Greig contributed to this story.