The novel Pumabot slides IoT surveillance into IoT surveillance through invisible SSH break-in

By focusing on IOT surveillance devices, such as IP cameras and network recorders, botnets are leveraging devices that are usually within the scope of strict security measures.

Targeted penetration through C2 coordination

Pumabot connects to the specified C2 server to get a curated list of IP addresses with open SSH ports. Using these lists, it attempts to paint SSH credentials into penetration devices, a technology that helps it reduce the possibility of detection through traditional security measures to find noise from Internet-wide scans.

For campaigns, Pumabot uses malware determined by the file name Jierui, which initiates an operation by calling the getips() function to receive an IP list from the C2 server (ssh.ddos-cc).[.]org). “It then uses credentials to make a brute-force login attempt on port 22, also obtained from C2 through readlinesFromurl(), brute() and trysshlogin() functions,” the researchers said. “Port 22 is the default network port used by the SSH protocol.

In its trysshlogin() routine, the malware runs a series of environmental fingerprinting checks that avoid honeypots and restricted shells. Additionally, it looks for the string “Pumatronix” (which probably inspired the naming of Pumabot), a manufacturer of surveillance and traffic camera systems.