Connect with us

Hi, what are you looking for?


Email Security

Attackers Exploit ShellShock via SMTP to Distribute Malware

The GNU Bash vulnerability known as ShellShock is being leveraged by cybercriminals as part of a botnet campaign, researchers reported on Friday.

The GNU Bash vulnerability known as ShellShock is being leveraged by cybercriminals as part of a botnet campaign, researchers reported on Friday.

This isn’t the first time ShellShock has been exploited in the wild, but these attacks are interesting for several reasons. First, the attackers are targeting the Simple Mail Transfer Protocol (SMTP), which is used for email transmission.

According to Binary Defense Systems (BDS), a new sister company of the security firm TrustedSec, the initial ShellShock payload is included in the subject, from, to fields, and the body of the email sent out by the attackers. If the malicious code is executed successfully, a Perl-based IRC bot is downloaded to the victim’s system and the infected SMTP gateway is added to a botnet infrastructure.

“It’s unknown which product would specifically be vulnerable to this since Shellshock relies on system level calls and leveraging bash however it seems to be a fairly wide-scale delivery of emails across the United States,” BDS’s David Kennedy said in a blog post.

Researchers at the SANS Institute reported that the attacks appear to be aimed mainly at the servers of web hosting providers. According to Kevin Liston, a handler at the SANS Institute’s Internet Storm Center (ISC), the malware is designed to execute simple distributed denial-of-service (DDoS) commands, but it’s also capable of fetching and executing other threats.

Belgian security consultant Xavier Mertens stumbled upon one of the malicious emails in his personal email account. The email came from an address on,  a domain for personalized email addresses that’s often abused by attackers, the expert told SecurityWeek via email.

The IP address from which the payload was delivered to Mertens is the same as the one seen by the SANS Institute. The IP ( is associated with a virtual server hosted at a German hosting company. The server is currently down, Mertens said.

Advertisement. Scroll to continue reading.

“The thing about Shellshock is that any server running a vulnerable version of bash is vulnerable and can be exploited if an attacker can control something that is set as an SMTP variable. The server doesn’t have to be directly accessible to the public,” Martijn Grooten, editor of Virus Bulletin, told SecurityWeek. “The thing with SMTP is that email sometimes takes various internal routers. For instance, it may arrive at an organisation’s spam filter, which passes it on to a secondary MTA (mail server), which then passes it on to the server used by client machines to retrieve email from.”

“It is not unimaginable that one of these servers uses a bash script that stores, say, the subject line of the email, or the From: address, in a bash variable. If it does and bash hasn’t been patched, then these emails will result in the server execute the command – and, in this case, add the server to a botnet.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.