Darktrace has discovered a new Go-based botnet, named PumaBot, that is targeting Internet of Things (IoT) devices and avoiding scanning by using a C2 server to acquire targets and then use brute-force attacks to grab SSH credentials.

PumaBot retrieves a list of targets from a command-and-control server and then establishes persistence, using system service files.

After harvesting a list of IP addresses for IoT devices with open SSH ports, PumaBot identifies a valid SSH credential pair, logs in, self-deploys, and begins the replication process. PumaBot uses a trySSHLogin() function to perform environment fingerprint checks to avoid getting trapped in honeypots or execution environments (such as restricted shells) that are suitable for its needs. If the environment passes the checks, the malware runs the uname -a command to discover the operating system type, kernel version, and architecture. After that, it disguises itself as a legitimate Redis system file, creates a systemd service, and adds its own SSH keys to the user's authorized_keys file.

PumaBot does not automatically propagate like a traditional worm, but it does present worm-like behavior.

According to Darktrace, it's important to monitor for anomalous SSH login activity, audit systemd services, inspect the authorized_keys file, filter or alert on outbound HTTP requests with nonstandard headers (such as X-API-KEY), and apply strict firewall rules to limit SSH exposure.