There is a new campaign to deploy harmful software called Shellbot, and it has started targeting incorrectly configured Linux SSH servers. Ahnlab Security’s emergency response center has stated that this malicious DDOS BOT, also known as Perlbot, is designed in the PERL programming language and usually uses the IRC protocol to communicate with the C2 server.
The attackers use malware scanners to identify systems with open SSH port 22 (the default port) and install Shellbot on servers with weak accounting data. They use a list of well-known scores SSH to initiate an attack on the dictionary, which is a method known as “brutfort” to hack a server and deploy the payload. After that, they use the internet relay chat protocol to communicate with the remote C2 server. Shellbot receives commands that allow it to perform DDOS attacks and exfiltrate collected information.
Ahnlab stated that they have identified three different versions of Shellbot: Light moded perlbot v2, ddos pbot v2.0, and Powerbots (C) Gohack. The first two versions offer various commands for performing DDOS attacks using the HTTP, TCP, and UDP protocols. Powerbots has more opportunities that make it a full-fledged backdoor. Malia can provide reverse access to the shell and download any files from the target device.
Three months ago, ASEC had already observed the Shallbot attacks aimed at Linux servers. The goal of these attacks was to spread cryptocurrency miners through the compiler of the shell scripts.