Poorly managed Linux SSH servers have been targeted as part of a new campaign deploying various variants of a malware called ShellBot.
“ShellBot, also known as PerlBot, is a DDoS bot malware developed in Perl that is characterized by using the IRC protocol to communicate with C&C servers,” said the AhnLab Security Emergency Response Center (ASEC) in a report. increase.
ShellBot installs on servers with weak credentials, but only after attackers use scanner malware to identify systems with SSH port 22 open.
It launches a dictionary attack using a list of known SSH credentials to compromise servers and deploy payloads. It then uses the Internet Relay Chat (IRC) protocol to communicate with the remote server.
This includes the ability to receive commands that allow ShellBot to carry out DDoS attacks and exfiltrate collected information.
ASEC said it identified three different ShellBot versions: LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK. The first two provide various DDoS attack commands using HTTP, TCP, and UDP protocols.
PowerBot, on the other hand, comes with a backdoor-like feature that allows reverse shell access and uploads arbitrary files from a compromised host.
The findings come nearly three months after ShellBot was used in an attack targeting Linux servers distributing cryptocurrency miners via shell script compilers.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
“With ShellBot installed, Linux servers can be used as DDoS bots for DDoS attacks against specific targets after receiving commands from threat actors,” said ASEC. “Additionally, attackers may use various other backdoor capabilities to install additional malware or launch various types of attacks from compromised servers.”
The number of DDoS attacks targeting healthcare organizations hosted on Azure has gradually increased, jumping from 10-20 in November 2022 to 40-60 per day in February 2023. Microsoft’s disclosure also prompted development.
