HQ/EMEAFind out how we can help your business
Hackers have been using the newly discovered ShellBot malware variants to target poorly managed Linux SSH servers.
ShellBot (aka PerlBot) is a distributed denial-of-service malware coded in Perl and uses IRC protocol to establish communication with its command-and-control server. Threat groups install ShellBot on servers with weak credentials, but only after they use scanner malware to identify systems with SSH port 22 open.
In addition, the attackers utilise a list of known SSH credentials to execute a dictionary campaign to infiltrate the targeted server and launch a payload. Subsequently, the attack process leverages the Internet Relay Chat command to contact its remote server.
This method involves the ability to receive commands that enables ShellBot to run distributed denial-of-service attacks and exfiltrate harvested data.
Researchers spotted three ShellBot malware variants that have been infecting numerous targets recently.
According to an investigation, there are three ShellBot malware versions, two of which could execute various DDoS attack protocols. The confirmed malware strains are DDoS PBot v2.0, LiGhT’s Modded perlbot v2, and PowerBots (C) GohacK.
The first two malware variants could execute DDoS attack commands via TCP, UDP, and HTTP protocols. On the other hand, the third variant includes more backdoor-like features that grant its operators reverse shell access and upload arbitrary archives from the infected host.
The researchers found these details a couple of months ago after the threat actors employed ShellBot to attack Linux servers. Furthermore, the scope of the attack has also reached the cryptocurrency landscape as the actors used a shell script compiler.
Reports explained that the threat actors could use the Linux servers as DDoS bots for DDoS campaigns against specific targets if they could install the ShellBot malware. The threat actors could also utilise several backdoor features to install more malware strains or deploy different campaigns from the infected server.
The number of malware operators gradually increased after Microsoft revealed that many hackers had targeted the healthcare organisations that run on Azure.
Cybersecurity experts believe that more hackers will try to abuse the newly emerged malware strains to execute their own DDoS attacks.
