PumaBot is an emerging botnet targeting embedded Linux-based IoT devices, primarily through brute-force attacks on SSH credentials. Unlike traditional methods, it retrieves potential targets from a command-and-control server instead of active scanning. Upon gaining access to devices, the botnet executes remote commands and establishes persistence by disguising itself as a legitimate system file. Notably, it checks for honeypots and the presence of specific manufacturers, indicating either selection or exclusion criteria. This method enables the botnet to remain undetected even across system reboots, expanding its reach and impact.
Rather than scanning the internet, the malware retrieves a list of targets from a command-and-control (C2) server and attempts to brute force SSH credentials.
The malware writes itself to /lib/redis, attempting to disguise itself as a legitimate Redis system file.
Collection
[
|
...
]