By focusing on IoT surveillance devices, such as IP cameras and network video recorders, the botnet is exploiting equipment that is typically outside the scope of rigorous security measures.
Targeted infiltration via C2 coordination
PumaBot connects to a designated C2 server to obtain a curated list of IP addresses with open SSH ports. Using these lists, it attempts to brute-force SSH credentials to infiltrate devices, a technique that helps it reduce the likelihood of detection by traditional security measures that look for the noise from an internet-wide scan.
For the campaign, PumaBot uses a malware identified by the filename jierui that initiates the operation by invoking the getIPs() function to receive the IP list from the C2 server (ssh.ddos-cc[.]org). “It then performs brute-force login attempts on port 22 using credential pairs also obtained from the C2 through the readLinesFromURL(), brute(), and trySSHLogin() functions,” researchers said. Port 22 is the default network port used by the SSH protocol.
Inside its trySSHLogin() routine, the malware runs a series of environment fingerprinting checks to dodge honeypots and restricted shells. Additionally, it looks for the string “Pumatronix”– which probably inspired PumaBot’s naming–, a surveillance and traffic camera systems manufacturer.
