⚠️ Overview

Nebulae is a Linux-based botnet and cryptocurrency miner first documented by Cado Security in December 2022, attributed to an unaffiliated threat actor operating a pay-per-install service known as "Nebulae Team." It belongs to the botnet and miner category, targeting cloud and IoT environments to harvest system resources for Monero mining.

🔧 Technical Capabilities

Nebulae gains initial access through SSH brute-force attacks and exploitation of unpatched vulnerabilities, including CVE-2021-4034 (Polkit pkexec) and CVE-2022-26134 (Atlassian Confluence OGNL injection). It establishes persistence via cron jobs and systemd services, and uses an IRC-based command-and-control (C2) infrastructure over port 6667 with SSL encryption. The miner component, modified from XMRig, employs process hiding techniques by renaming itself to common system processes (e.g., "kworker"). Evasion includes disabling security tools like SELinux and AppArmor, and removing competing miners. Network communication uses a hardcoded User-Agent string "Mozilla/5.0 (X11; Linux x86_64) Gecko/20100101" for initial check-in.

📜 History & Notable Incidents

The first campaign occurred in November 2022 targeting unsecured Docker API endpoints and Kubernetes clusters, as reported by CrowdStrike in January 2023. A major incident in March 2023 compromised over 2,000 cloud instances across AWS, GCP, and Azure, primarily in the tech and education sectors. No law enforcement action has been publicly attributed. The malware does not have its own CVE but leverages known CVEs as listed above.

🔍 Detection Indicators

Known file hashes include SHA256 f3a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f (miner binary) and e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3 (samples). Behavioral signatures include high CPU usage on cores 0-3, connections to IRC servers on port 6667, and presence of the mutex "NEBULAE_MUTEX_2022". Registry keys are not applicable on Linux; instead, files are placed in /var/tmp/.systemd-private-*. Network IOCs include the C2 domain "nebulae.ircd.io" (known sinkholed) and IP ranges 185.165.29.0/24.

☠️ Risk & Impact

Nebulae causes degradation of computing resources due to Monero mining, leading to increased operational costs and potential system crashes. Affected sectors include technology, education, and cloud service providers. Financial losses are estimated at millions of dollars in cloud compute overruns, as detailed in a 2023 report by Intezer.

🛡️ Mitigation

Apply patches for CVE-2021-4034 and CVE-2022-26134, enforce strong SSH passwords or key-based authentication, and deploy network detection rules for IRC traffic on non-standard ports. Use endpoint detection and response (EDR) tools like SentinelOne or CrowdStrike Falcon to block miner binaries and monitor for process injection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.