ShellBot (aka PerlBot)—a Perl-based DDoS bot malware previously seen in attacks along with CoinMiner—targets poorly managed Linux SSH servers in a new campaign. The malware scans vulnerable SSH servers over the internet, and after successful exploitation, leverages them for various malicious activities.
ShellBot was first discovered in 2017. The malware typically uses the IRC protocol to establish communication with its C2 server. It commonly uses SSH brute force technique to break into Internet-connected Linux servers with weak passwords to infect a system and mine cryptocurrency.
Common tactics in the latest campaign
Threat actors most likely utilize a scanner or brute-forcer malware to discover systems with SSH port 22 open and use a list of commonly used SSH account credentials to initiate a dictionary attack.
They breach the server and install ShellBot on the weakly-secured servers, after which it leverages the IRC protocol to communicate with a remote server.
The malware receives commands from the server, carries out DDoS attacks, and exfiltrates the harvested information.
Three variants with different commands
ASEC researchers discovered that the threat actors are using three new malware variants - LiGhT's Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK.
While the first two variants offer a variety of DDoS attack commands using HTTP, TCP, SQL, and UDP protocols, the third variant comes with additional backdoor-like capabilities and various DDoS attack features.
Threat actors can use the third variant’s backdoor capabilities to grant reverse shell access, download arbitrary files from the compromised system, install additional malware, and launch different types of attacks.
Security tips
ShellBot is consistently evolving and targeting Linux servers with new techniques and different variants. Its attacks are largely focused on brute forcing the weakly configured servers, having exposed ports and weak passwords. Thus, administrators are suggested to implement strong password policies, which include using strong passwords for their accounts and changing them periodically to protect the Linux server and IoT devices.