The perpetrators orchestrating the ShellBot threat have adapted their tactics, utilizing IP addresses converted into hexadecimal notation to breach poorly secured Linux SSH servers and deploy the DDoS malware.
In a recent report, the AhnLab Security Emergency Response Center (ASEC) highlighted the alteration in the modus operandi.
ShellBot, also known as PerlBot, specializes in infiltrating servers with vulnerable SSH credentials via dictionary attacks. Once infiltrated, this malware serves as a conduit for orchestrating DDoS attacks and distributing cryptocurrency mining tools.
This malicious software, coded in Perl, relies on the IRC protocol for communication with a command-and-control (C2) server.
Recent instances of ShellBot attacks have revealed a shift towards the use of hexadecimal IP addresses, such as hxxp://0x2763da4e/ (corresponding to 39.99.218[.]78). This change appears to be an attempt to evade detection mechanisms reliant on URL analysis.
This development underscores the ongoing utilization of ShellBot for launching assaults against Linux-based systems.
Given ShellBot’s versatility to introduce additional malware or execute various forms of attacks from the compromised server, it is advisable for users to implement strong passwords and regularly update them to deter brute-force and dictionary-based attacks.
Furthermore, ASEC disclosed another alarming trend: cyber attackers are employing abnormal certificates with unusually lengthy strings for Subject Name and Issuer Name fields. This tactic is being used to disseminate information-stealing malware such as Lumma Stealer and a variant of RedLine Stealer known as RecordBreaker.