The GNU Bash vulnerability known as ShellShock is being leveraged by cybercriminals as part of a botnet campaign, researchers reported on Friday.
This isn’t the first time ShellShock has been exploited in the wild, but these attacks are interesting for several reasons. First, the attackers are targeting the Simple Mail Transfer Protocol (SMTP), which is used for email transmission.
According to Binary Defense Systems (BDS), a new sister company of the security firm TrustedSec, the initial ShellShock payload is included in the subject, from, to fields, and the body of the email sent out by the attackers. If the malicious code is executed successfully, a Perl-based IRC bot is downloaded to the victim’s system and the infected SMTP gateway is added to a botnet infrastructure.
“It’s unknown which product would specifically be vulnerable to this since Shellshock relies on system level calls and leveraging bash however it seems to be a fairly wide-scale delivery of emails across the United States,” BDS’s David Kennedy said in a blog post.
Researchers at the SANS Institute reported that the attacks appear to be aimed mainly at the servers of web hosting providers. According to Kevin Liston, a handler at the SANS Institute’s Internet Storm Center (ISC), the malware is designed to execute simple distributed denial-of-service (DDoS) commands, but it’s also capable of fetching and executing other threats.
Belgian security consultant Xavier Mertens stumbled upon one of the malicious emails in his personal email account. The email came from an address on mata.com, a domain for personalized email addresses that’s often abused by attackers, the expert told SecurityWeek via email.
The IP address from which the payload was delivered to Mertens is the same as the one seen by the SANS Institute. The IP (178.254.31.165) is associated with a virtual server hosted at a German hosting company. The server is currently down, Mertens said.
“The thing about Shellshock is that any server running a vulnerable version of bash is vulnerable and can be exploited if an attacker can control something that is set as an SMTP variable. The server doesn’t have to be directly accessible to the public,” Martijn Grooten, editor of Virus Bulletin, told SecurityWeek. “The thing with SMTP is that email sometimes takes various internal routers. For instance, it may arrive at an organisation’s spam filter, which passes it on to a secondary MTA (mail server), which then passes it on to the server used by client machines to retrieve email from.”
“It is not unimaginable that one of these servers uses a bash script that stores, say, the subject line of the email, or the From: address, in a bash variable. If it does and bash hasn’t been patched, then these emails will result in the server execute the command – and, in this case, add the server to a botnet.”

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
