Technical Analysis & Remediation
MITRE ATT&CK Mapping
T1110 (Brute Force)
Automated SSH scanning using a Go binary masquerading as nmap.
T1071.003 (Application Layer Protocol)
Traffic utilizes classic IRC channels for C2 instructions.
T1053.003 (Scheduled Task: Cron)
Persistence maintained via jobs running every 60 seconds.
T1068 (Exploitation for Privilege Escalation) Targets 16 legacy CVEs (Linux kernel 2009-2010).
Telemetry & Artifacts
Filenames
GS, bootbou (Archives containing bot variants).
Paths
Activity frequently targets or executes from /dev/shm.
Payloads
PhoenixMiner (Ethereum miner), GCC (Compiler toolchain downloaded post-infection).
Network Behavior
High-volume outbound SSH scanning; connections to IRC servers (ports typically 6667, though not explicitly enumerated in text).
Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3)
GOVERN (GV) – Crisis Management
Command
Audit all Linux assets for "End of Life" (EOL) kernel versions (2009-2010 era) vulnerable to the legacy CVE set utilized by this botnet.
Command
Review "Shadow IT" policies, specifically regarding unmanaged cloud instances (Oracle Cloud was a noted target).
DETECT (DE) – Monitoring & Analysis
Command
Implement SIEM alerts for the process execution of gcc or make on production servers where development activity is not expected.
Command
Hunt for cron jobs executing every 60 seconds or referencing the /dev/shm directory.
Command
Monitor network traffic for outbound IRC protocol signatures (cleartext chat commands like JOIN, NICK, PRIVMSG).
RESPOND (RS) – Mitigation & Containment
Command
Isolate affected hosts immediately.
Command
Terminate processes associated with PhoenixMiner or suspicious Go binaries masquerading as nmap.
Command
Inspect and purge malicious crontab entries: crontab -l.
IDENTIFY & PROTECT (PR) – Hardening
Command
Disable SSH Password Authentication. Enforce key-based authentication (PubkeyAuthentication yes, PasswordAuthentication no in sshd_config).
Command
Mount /dev/shm and /tmp with noexec flags to prevent binary execution from temporary directories.
Remediation - THE HOME USER TRACK (Safety Focus)
Priority 1: Safety
Command
If you run a home Linux server (e.g., Raspberry Pi, NAS) exposed to the internet, disconnect it immediately if you suspect infection (high fan usage/sluggishness).
Priority 2: Identity & Access
Command
Disable port forwarding for port 22 (SSH) on your home router. Use a VPN (like Tailscale or WireGuard) if remote access is required.
Command
Change the default password for the root or admin user on all Linux appliances.
Priority 3: Persistence Removal
Command
Check scheduled tasks. Open a terminal and type: crontab -l. Look for weird scripts running every minute.
Command
Reboot the device. While this may not remove the persistence (due to cron), it stops the active miner temporarily. Follow up with a factory reset if you cannot manually clean the filesystem.
Hardening & References
Baseline
CIS Distribution Independent Linux Benchmark.
Constraint
This botnet relies on the victim having a very old kernel or weak passwords. Modern, patched systems with key-based SSH are effectively immune to the privilege escalation vector described.
Source
Primary Intelligence (Root Analysis)
BleepingComputer
www.bleepingcomputer.com
