Heimdal
article featured image

Contents:

A new campaign is deploying variants of the ShellBot malware, specifically targeting poorly maintained Linux SSH servers.

It seems the threat actors use scanner malware to find systems that have SSH port 22 open and proceed to install ShellBot on the servers that have weak credentials.

ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server. ShellBot is an old malware that has been in steady use and is still being used today to launch attacks against Linux systems.

Source

Using a list of known SSH credentials, the threat actors initiate a dictionary attack to break into the server and install the payload.

After that, the Internet Relay Chat (IRC) protocol is used to communicate to a remote server. This includes receiving commands that enable ShellBot to launch DDoS attacks and exfiltrate collected data.

Three Variants of ShellBot

ASEC reported finding three distinct variants of ShellBot: LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK. The first two of these offer a wide range of DDoS attack commands through the HTTP, TCP, and UDP protocols.

Meanwhile, PowerBots has other backdoor-like features, such as the ability to upload arbitrary files from the compromised host and provide reverse shell access, explains The Hacker News.

If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor. (…) Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server.

Source

The discovery comes three months after ShellBot was used in Linux server attacks that also spread cryptocurrency miners using a shell script compiler.

The full analysis published by AhnLab Security Emergency response Center (ASEC) is available here.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Madalina Popovici

Digital PR Specialist

linkedin icon

Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE