New Linux PumaBot Targets IoT Devices with SSH Credential Brute-Force Attack

A new and insidious threat has surfaced in the cybersecurity landscape as Darktrace’s Threat Research team uncovers PumaBot, a Go-based Linux botnet meticulously designed to exploit embedded Internet of Things (IoT) devices.

Unlike conventional botnets that cast a wide net through indiscriminate internet scans, PumaBot employs a highly targeted strategy, fetching a curated list of IP addresses from a command-and-control (C2) server to launch brute-force attacks on SSH credentials.

This focused approach not only enhances its stealth but also minimizes the risk of detection by security mechanisms designed to flag broad scanning activities.

A Sophisticated Go-Based Botnet Emerges

Once PumaBot gains access to a vulnerable device, it deploys its malicious binary, establishes persistence, and executes remote commands, with a primary focus on cryptocurrency mining.

This botnet poses a significant risk to unsecured IoT ecosystems, particularly those running Linux, highlighting the urgent need for robust security measures in embedded systems.

PumaBot’s infection chain is a masterclass in stealth and deception. After retrieving its target list from the C2 server, the malware systematically attempts to brute-force SSH credentials on devices with exposed ports.

Upon successful infiltration, it writes its binary to deceptive locations such as /lib/redis, masquerading as a legitimate Redis service.

To ensure persistence across reboots, PumaBot abuses systemd services by creating misleading service files like redis.service or mysqI.service note the capitalized ‘I’ mimicking MySQL blending seamlessly with legitimate system processes.

This clever use of native Linux tools and system paths complicates detection by traditional antivirus and endpoint security solutions.

Advanced Evasion Tactics

Furthermore, PumaBot collects critical system data, including OS name, kernel version, and architecture via commands like uname -a, packaging this information with the victim’s IP, port, username, and password into a JSON payload for exfiltration to the C2 server using custom HTTP headers.

Its primary payload often involves cryptocurrency mining, triggered by commands such as “xmrig” and “networkxm,” which likely involve downloading additional malicious components to the compromised host.

What sets PumaBot apart is its sophisticated evasion techniques. The botnet incorporates fingerprinting logic to sidestep honeypots and restricted environments, explicitly checking for strings like “Pumatronix” a manufacturer of surveillance and traffic camera systems.

This suggests a targeted campaign either focusing on or excluding specific IoT devices, potentially zeroing in on surveillance ecosystems.

By avoiding worm-like automatic propagation, PumaBot operates as a semi-automated threat, relying on C2-driven target selection and brute-forcing to expand its network.

Related binaries, such as ddaemon (a Go-based backdoor) and installx.sh (a shell script that clears bash history and downloads further payloads from domains like “1.lusyn[.]xyz”), indicate a broader, multi-tool campaign orchestrated to maximize compromise and persistence.

According to the Report, PolySwarm analysts have flagged PumaBot as an emerging threat, underscoring its potential to disrupt IoT environments if left unchecked.

The combination of targeted attacks, persistence mechanisms, and evasion tactics makes PumaBot a formidable adversary in the evolving landscape of IoT security.

Indicators of Compromise (IOCs)