ASEC published a report citing an increase in the usage of the BlueShell malware by various threat actors, to target Windows, Mac, and Linux OS across Korea and Thailand.
A background on BlueShell
The BlueShell backdoor has been operational since 2020 and is written in Go.
BlueShell employs TLS encryption to evade network detection when communicating with its C2 server.
It relies on three configuration parameters: the C2 server's IP address, port number, and a specified waiting time.
Research findings have uncovered the use of BlueShell malware by the Dalbit Group in attacks targeting Windows systems.
The Dalbit Group, a threat actor based in China, primarily focuses on vulnerable servers to pilfer critical data, which it then uses to demand ransom.
Additionally, there have been documented instances of attacks against mail servers and MS-SQL database servers.
The new variant
While analyzing BlueShell's activities in the Linux environment, the researchers identified a customized variant of the malware on VirusTotal.
Notably, this malware sample was uploaded to VirusTotal from locations in Korea and Thailand, suggesting that these two regions may have been the intended targets of the attack.
Some latest attacks on operating systems
A threat actor is exploiting vulnerabilities in the MinIO Object Storage system to remotely execute arbitrary code on vulnerable servers. The exploits can effectively be used against Linux and Windows environments using specific Downloader Scripts.
Early August, researchers spotted an evolved SkidMap malware variant targeting a wide range of Linux distributions, including Alibaba, Anolis, and RedHat.
The same month witnessed a new hVNC tool for hacking Mac systems, allowing attackers to gain stealthy remote control and steal sensitive information.
The bottom line
ASEC's report highlights the escalating utilization of BlueShell malware across Windows, Mac, and Linux systems in Korea and Thailand. To mitigate such threats, organizations should prioritize regular system patching, implement robust intrusion detection systems, and enhance server security measures. Additionally, user education on recognizing phishing attempts can play a vital role in preventing malware infections.