Breaking News

New ShellBot DDoS Malware Targeting Poorly Managed Linux Servers



Mar
21,
2023Ravie
LakshmananLinux
/
Server
Security


ShellBot DDoS Malware

Poorly
managed
Linux
SSH
servers
are
being
targeted
as
part
of
a
new
campaign
that
deploys
different
variants
of
a
malware
called
ShellBot.

“ShellBot,
also
known
as

PerlBot,
is
a
DDoS
Bot
malware
developed
in
Perl
and
characteristically
uses
IRC
protocol
to
communicate
with
the
C&C
server,”
AhnLab
Security
Emergency
response
Center
(ASEC)

said
in
a
report.

ShellBot
is
installed
on
servers
that
have
weak
credentials,
but
only
after
threat
actors
make
use
of
scanner
malware
to
identify
systems
that
have
SSH
port
22
open.

A
list
of
known
SSH
credentials
is
used
to
initiate
a
dictionary
attack
to
breach
the
server
and
deploy
the
payload,
after
which
it
uses
the
Internet
Relay
Chat
(IRC)
protocol
to
communicate
with
a
remote
server.

This
encompasses
the
ability
to
receive
commands
that
allows
ShellBot
to
carry
out
DDoS
attacks
and
exfiltrate
harvested
information.

ASEC
said
it
identified
three
different
ShellBot
versions

LiGhT’s
Modded
perlbot
v2,
DDoS
PBot
v2.0,
and
PowerBots
(C)
GohacK

the
first
two
of
which
offer
a
variety
of
DDoS
attack
commands
using
HTTP,
TCP,
and
UDP
protocols.

PowerBots,
on
the
other
hand,
comes
with
more
backdoor-like
capabilities
to
grant
reverse
shell
access
and
upload
arbitrary
files
from
the
compromised
host.

The
findings
come
nearly
three
months
after
ShellBot
was

employed
in
attacks
aimed
at
Linux
servers
that
also
distributed
cryptocurrency
miners
via
a
shell
script
compiler.


WEBINAR

Discover
the
Hidden
Dangers
of
Third-Party
SaaS
Apps

Are
you
aware
of
the
risks
associated
with
third-party
app
access
to
your
company’s
SaaS
apps?
Join
our
webinar
to
learn
about
the
types
of
permissions
being
granted
and
how
to
minimize
risk.

RESERVE
YOUR
SEAT

“If
ShellBot
is
installed,
Linux
servers
can
be
used
as
DDoS
Bots
for
DDoS
attacks
against
specific
targets
after
receiving
a
command
from
the
threat
actor,”
ASEC
said. “Moreover,
the
threat
actor
could
use
various
other
backdoor
features
to
install
additional
malware
or
launch
different
types
of
attacks
from
the
compromised
server.”

The
development
also
comes
as
Microsoft

revealed
a
gradual
increase
in
the
number
of
DDoS
attacks
targeting
healthcare
organizations
hosted
in
Azure,
surging
from
10-20
attacks
in
November
2022
to
40-60
attacks
daily
in
February
2023.

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

shortenage

Leave a Reply

Your email address will not be published. Required fields are marked *

Powered by WordPress | Bootstrap Themes