ShellBot DDoS Malware Targeting Poorly Managed Linux SSH Servers

ShellBot DDoS Malware Targets Linux SSH Servers

As per a report from AhnLab Security Emergency Response Center (ASEC), poorly managed Linux SSH servers are becoming the targets of a new campaign in which different variants of ShellBot malware are being deployed.

What is meant by Poorly Managed Servers?

Poorly managed services refer to weak account credentials, which make the server vulnerable to dictionary attacks. Services such as MS-SQL and RDP (remote desktop protocol) are often targeted.

In Linux servers, SSH (secure shell) services are the primary targets. In IoT environments, dictionary attacks are targeted against the Telnet service installed on an embedded Linux OS or an old Linux server.

What is ShellBot?

ShellBot, also known as PerIBot, is an old DDoS bot malware developed in Perl. The malware typically uses Internet Relay Chat/IRC protocol to establish communication with its C2 server.

Currently, the malware is being used to launch attacks against insecure Linux systems, targeting servers with weak credentials. It is deployed on a system after attackers use scanner malware to determine whether the system has SSH port 22 open.

Attack Details

ASEC researchers noted that ShellBot was used in attacks targeting Linux servers that were distributing cryptocurrency miners through a shell script compiler.

“If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor,” ASEC’s report read.

The attack begins by using a list of SSH credentials to launch a dictionary attack and breach the server. Once this is accomplished, the threat actor deploys the payload and leverages the IRC protocol to communicate with the C2 server and receive commands that instruct ShellBot to conduct DDoS attacks and steal data.

Different ShellBot Variants Used in the Campaign

According to ASEC researchers, three variants of ShellBot were identified, including LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK. The first two versions feature a wide range of DDoS attack commands with HTTP, UDP, and TCP protocols.

Conversely, PowerBots are equipped with backdoor-like capabilities that can provide shell access and upload arbitrary files from the infected host. Threat actors can use these backdoor capabilities for the installation of additional malware and launch different types of attacks, abusing the server.

  1. Windows, Linux and macOS Users Hit by APT Group
  2. Multi-platform SysJoker backdoor hits Linux Devices
  3. DDoS Malware ‘Chaos’ Hits Linux and Windows Devices

Related Posts