Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Attackers Exploit ShellShock via SMTP to Distribute Malware

The GNU Bash vulnerability known as ShellShock is being leveraged by cybercriminals as part of a botnet campaign, researchers reported on Friday.

The GNU Bash vulnerability known as ShellShock is being leveraged by cybercriminals as part of a botnet campaign, researchers reported on Friday.

This isn’t the first time ShellShock has been exploited in the wild, but these attacks are interesting for several reasons. First, the attackers are targeting the Simple Mail Transfer Protocol (SMTP), which is used for email transmission.

According to Binary Defense Systems (BDS), a new sister company of the security firm TrustedSec, the initial ShellShock payload is included in the subject, from, to fields, and the body of the email sent out by the attackers. If the malicious code is executed successfully, a Perl-based IRC bot is downloaded to the victim’s system and the infected SMTP gateway is added to a botnet infrastructure.

“It’s unknown which product would specifically be vulnerable to this since Shellshock relies on system level calls and leveraging bash however it seems to be a fairly wide-scale delivery of emails across the United States,” BDS’s David Kennedy said in a blog post.

Researchers at the SANS Institute reported that the attacks appear to be aimed mainly at the servers of web hosting providers. According to Kevin Liston, a handler at the SANS Institute’s Internet Storm Center (ISC), the malware is designed to execute simple distributed denial-of-service (DDoS) commands, but it’s also capable of fetching and executing other threats.

Belgian security consultant Xavier Mertens stumbled upon one of the malicious emails in his personal email account. The email came from an address on mata.com,  a domain for personalized email addresses that’s often abused by attackers, the expert told SecurityWeek via email.

The IP address from which the payload was delivered to Mertens is the same as the one seen by the SANS Institute. The IP (178.254.31.165) is associated with a virtual server hosted at a German hosting company. The server is currently down, Mertens said.

“The thing about Shellshock is that any server running a vulnerable version of bash is vulnerable and can be exploited if an attacker can control something that is set as an SMTP variable. The server doesn’t have to be directly accessible to the public,” Martijn Grooten, editor of Virus Bulletin, told SecurityWeek. “The thing with SMTP is that email sometimes takes various internal routers. For instance, it may arrive at an organisation’s spam filter, which passes it on to a secondary MTA (mail server), which then passes it on to the server used by client machines to retrieve email from.”

Advertisement. Scroll to continue reading.

“It is not unimaginable that one of these servers uses a bash script that stores, say, the subject line of the email, or the From: address, in a bash variable. If it does and bash hasn’t been patched, then these emails will result in the server execute the command – and, in this case, add the server to a botnet.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.