Security researchers have identified a new and sophisticated Linux malware campaign that cleverly combines a Mirai-derived Distributed Denial of Service (DDoS) botnet with a stealthy, fileless cryptocurrency miner. This potent hybrid threat, named V3G4 by Cyble Research Intelligence Labs, targets both Internet of Things (IoT) devices and cloud Linux servers, marking a significant advancement in the methods employed by cybercriminals.
The malware operates through a multi-stage infection process, designed to compromise a wide range of Linux systems and IoT devices across various architectures. Its objective is to establish persistent access for conducting disruptive DDoS attacks while simultaneously siphoning device resources for cryptocurrency mining, thereby maximizing profit for the threat actors.
The V3G4 Malware: A Dual-Threat Linux Assault
The V3G4 campaign initiates its attack with a compact shell script known as the Universal Bot Downloader. This script is programmed to automatically detect the victim system’s CPU architecture, typically using the `uname -m` command common in Linux environments. Based on this identification, the script constructs a specific download URL to fetch the appropriate bot binary from an attacker-controlled server located at 103.149.93.224.
Following established patterns seen in many IoT botnets, the payload is then written directly to the `/tmp` directory. It is subsequently granted executable permissions via the `chmod` command and launched immediately. This rapid deployment strategy allows the malware to spread quickly and efficiently across a diverse range of Linux-based systems.
Once active, the malware, which is UPX-packed and stripped of debugging information, proceeds to gather essential system information. This reconnaissance phase helps the malware determine optimal operational parameters by examining details such as the kernel version and process limits. Cyble analysts observed that the malware prints a distinctive signature banner, “xXxSlicexXxxVEGA,” to the standard output. This behavior has been previously associated with V3G4-Mirai strains, particularly in cloud-based infection scenarios.
To enhance its stealth, the bot then attempts to masquerade as the legitimate `systemd-logind` daemon using `prctl` system calls. It further obscures its presence by closing standard input, output, and error streams and detaching from the controlling terminal with `setsid`. These actions are crucial for evading process monitoring and minimizing the chances of detection by security software or system administrators.
Infection Mechanism and Stealth Architecture
The malware’s command-and-control (C2) infrastructure is notably sophisticated, employing a dual approach that includes raw TCP socket scanning and DNS-based resilience. Multiple worker threads are deployed to rapidly scan port 22, the standard SSH port, across the internet using SYN packets. This high-velocity scanning facilitates swift SSH brute-force propagation to new potential victims.
Concurrently, the bot engages in multi-threaded DNS queries, often targeting public DNS servers like Google’s (8.8.8.8). These queries are used to resolve the C2 domain, `baojunwakuang.asia`, which resolves to the IP address 159.75.47.123. This domain serves both botnet commands and cryptocurrency miner configurations. The malware utilizes non-standard ports, such as 60194, for communication, further contributing to its stealth and making it harder to detect network anomalies.
The third-stage payload of the V3G4 malware features a clandestine XMRig-based Monero miner. This component particularly highlights the campaign’s focus on evading detection. Instead of relying on static configuration files that could be easily found and analyzed, the malware dynamically retrieves mining parameters directly from the C2 server at runtime.
To blend in with legitimate system processes, the loader disguises the miner as `/tmp/.dbus-daemon`. It then requests configuration data via TCP, receiving a JSON blob that contains essential details such as wallet addresses, mining pool URLs, and algorithm settings. This fileless delivery method ensures that no persistent artifacts are left on disk, making forensic analysis significantly more challenging for security professionals.
The adoption of this fileless approach allows the operators of the V3G4 malware to rotate mining parameters in near real-time, adapt to network changes, and hinder any ongoing forensic investigations. The combined use of masqueraded processes, raw socket scanning for propagation, and dynamic configuration delivery showcases the evolving tactics of modern botnets aimed at maximizing stealth and monetization across compromised Linux environments.
The continued development and deployment of sophisticated threats like V3G4 underscore the persistent risk posed by Linux malware, particularly in the IoT and cloud computing landscapes. Future iterations may introduce even more advanced evasion techniques or expand the range of targeted vulnerabilities, necessitating ongoing vigilance and robust security measures to counteract these persistent threats.