Poorly managed Linux SSH servers are being focused as a part of a brand new marketing campaign that deploys totally different variants of a malware referred to as ShellBot.
“ShellBot, also called PerlBot, is a DDoS Bot malware developed in Perl and characteristically makes use of IRC protocol to speak with the C&C server,” AhnLab Safety Emergency response Heart (ASEC) mentioned in a report.
ShellBot is put in on servers which have weak credentials, however solely after risk actors make use of scanner malware to establish methods which have SSH port 22 open.
An inventory of recognized SSH credentials is used to provoke a dictionary assault to breach the server and deploy the payload, after which it makes use of the Web Relay Chat (IRC) protocol to speak with a distant server.
This encompasses the power to obtain instructions that enables ShellBot to hold out DDoS assaults and exfiltrate harvested info.
ASEC mentioned it recognized three totally different ShellBot variations – LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK – the primary two of which provide a wide range of DDoS assault instructions utilizing HTTP, TCP, and UDP protocols.
PowerBots, however, comes with extra backdoor-like capabilities to grant reverse shell entry and add arbitrary information from the compromised host.
The findings come almost three months after ShellBot was employed in assaults aimed toward Linux servers that additionally distributed cryptocurrency miners through a shell script compiler.
Uncover the Hidden Risks of Third-Celebration SaaS Apps
Are you conscious of the dangers related to third-party app entry to your organization’s SaaS apps? Be a part of our webinar to be taught in regards to the varieties of permissions being granted and find out how to reduce danger.
“If ShellBot is put in, Linux servers can be utilized as DDoS Bots for DDoS assaults towards particular targets after receiving a command from the risk actor,” ASEC mentioned. “Furthermore, the risk actor may use numerous different backdoor options to put in further malware or launch several types of assaults from the compromised server.”
The event additionally comes as Microsoft revealed a gradual improve within the variety of DDoS assaults focusing on healthcare organizations hosted in Azure, surging from 10-20 assaults in November 2022 to 40-60 assaults each day in February 2023.
