Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

ShellShock Exploits Used in Expansion of ‘Mayhem’ Linux Botnet

Cybercriminals are expanding the Linux botnet dubbed “Mayhem” by leveraging the recently discovered vulnerabilities in the GNU Bash shell, according to researchers.

Cybercriminals are expanding the Linux botnet dubbed “Mayhem” by leveraging the recently discovered vulnerabilities in the GNU Bash shell, according to researchers.

The Mayhem malware, a multipurpose threat targeting Linux and UNIX Web servers, was first analyzed in May by the Malware Must Die research group. In July, researchers at the Russian Internet company Yandex published a detailed paper on the botnet. Based on data from two command and control (C&C) servers, the experts identified roughly 1,400 compromised machines.

Malware Must Die has been monitoring the botnet and found that cybercriminals are currently attempting to expand it with the aid of ShellShock, the set of Bash flaws that can be leveraged to execute arbitrary code on affected servers.

According to researchers, the attackers first scan servers to see if they are vulnerable to ShellShock. When a vulnerable device is found, the Bash bug is exploited to download a malware installer written in Perl. In the past, this installer was a PHP script, Malware Must Die pointed out.

Once the threat is installed on a system, it creates a hidden file system where it stores its components, including the plugins it uses to carry out tasks such as brute-force attacks and data theft.

As of October 11, Malware Must Die had identified a total of 53 IP addresses involved in such attacks, with 25 of them located in the United States. The attacks have been traced back to a total of 23 countries.

Advertisement. Scroll to continue reading.

“These attacker IPs are the combination between (known) Mayhem bots we monitor and unknown sources (including the suspected possibility of new panels/CNC/bots),” Malware Must Die wrote in a blog post.

“Many of today’s enterprises have adopted public cloud-based services that run on systems that can be infected by Mayhem, but the enterprise has no visibility into whether servers have been patched, no ability to dictate patch schedules, and no visibility into whether exploits of Mayhem have resulted in theft of their data or user credentials,” Rich Campagna, VP of products at Bitglass, told SecurityWeek. “The operational benefits of moving to the public cloud are not without tradeoffs for the enterprise, specifically loss of security and visibility. Enterprises must keep in mind that outsourcing an application to the cloud does not mean that they have outsourced responsibility for protection of their data.”

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.