Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Attackers Exploit ShellShock via SMTP to Distribute Malware

The GNU Bash vulnerability known as ShellShock is being leveraged by cybercriminals as part of a botnet campaign, researchers reported on Friday.

The GNU Bash vulnerability known as ShellShock is being leveraged by cybercriminals as part of a botnet campaign, researchers reported on Friday.

This isn’t the first time ShellShock has been exploited in the wild, but these attacks are interesting for several reasons. First, the attackers are targeting the Simple Mail Transfer Protocol (SMTP), which is used for email transmission.

According to Binary Defense Systems (BDS), a new sister company of the security firm TrustedSec, the initial ShellShock payload is included in the subject, from, to fields, and the body of the email sent out by the attackers. If the malicious code is executed successfully, a Perl-based IRC bot is downloaded to the victim’s system and the infected SMTP gateway is added to a botnet infrastructure.

“It’s unknown which product would specifically be vulnerable to this since Shellshock relies on system level calls and leveraging bash however it seems to be a fairly wide-scale delivery of emails across the United States,” BDS’s David Kennedy said in a blog post.

Researchers at the SANS Institute reported that the attacks appear to be aimed mainly at the servers of web hosting providers. According to Kevin Liston, a handler at the SANS Institute’s Internet Storm Center (ISC), the malware is designed to execute simple distributed denial-of-service (DDoS) commands, but it’s also capable of fetching and executing other threats.

Belgian security consultant Xavier Mertens stumbled upon one of the malicious emails in his personal email account. The email came from an address on mata.com,  a domain for personalized email addresses that’s often abused by attackers, the expert told SecurityWeek via email.

The IP address from which the payload was delivered to Mertens is the same as the one seen by the SANS Institute. The IP (178.254.31.165) is associated with a virtual server hosted at a German hosting company. The server is currently down, Mertens said.

“The thing about Shellshock is that any server running a vulnerable version of bash is vulnerable and can be exploited if an attacker can control something that is set as an SMTP variable. The server doesn’t have to be directly accessible to the public,” Martijn Grooten, editor of Virus Bulletin, told SecurityWeek. “The thing with SMTP is that email sometimes takes various internal routers. For instance, it may arrive at an organisation’s spam filter, which passes it on to a secondary MTA (mail server), which then passes it on to the server used by client machines to retrieve email from.”

Advertisement. Scroll to continue reading.

“It is not unimaginable that one of these servers uses a bash script that stores, say, the subject line of the email, or the From: address, in a bash variable. If it does and bash hasn’t been patched, then these emails will result in the server execute the command – and, in this case, add the server to a botnet.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

Jessica Newman has joined Sophos as General Manager of Global Cyber Insurance.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.