IOT monitoring devices, such as IP cameras and network video recorders, are exploiting the Botnet equipment, which is usually out of the scope of rigorous safety measures.
C2 coordination targeted infiltration
Pumabot connects a specified C2 server to get a curate list of IP addresses with open SSH port. Using these lists, it attempts to cheat SSH credentials to infiltrate devices, a technique that helps reduce the possibility of detecting it by traditional safety measures that seek noise from internet-wide scans.
For the campaign, Pumabot FileName uses a malware identified by Jierui that starts the operation by inviting Getips () function to get an IP list from C2 server (ssh.ddos-cc (.) Org). Researchers said, “It then tries the brut-form login on Port 22, which is also using credensible couples obtained from C2 through redlinesfromurl (), crute (), and trySshlogin () functions.” Port 22 is a default network port used by SSH protocol.
Inside its Trysshlogin () routine, malware runs a series of environment fingerprint checks to dodge honeypots and restricted shells. Additionally, this string looks for “pumatronics” – which probably inspires the naming of the pubbot, a monitoring and traffic camera system manufacturer.
