Attackers Exploit ShellShock via SMTP to Distribute Malware

The GNU Bash vulnerability known as ShellShock is being leveraged by cybercriminals as part of a botnet campaign, researchers reported on Friday.

This isn’t the first time ShellShock has been exploited in the wild, but these attacks are interesting for several reasons. First, the attackers are targeting the Simple Mail Transfer Protocol (SMTP), which is used for email transmission.

According to Binary Defense Systems (BDS), a new sister company of the security firm TrustedSec, the initial ShellShock payload is included in the subject, from, to fields, and the body of the email sent out by the attackers. If the malicious code is executed successfully, a Perl-based IRC bot is downloaded to the victim’s system and the infected SMTP gateway is added to a botnet infrastructure.

“It’s unknown which product would specifically be vulnerable to this since Shellshock relies on system level calls and leveraging bash however it seems to be a fairly wide-scale delivery of emails across the United States,” BDS’s David Kennedy said in a blog post.

Researchers at the SANS Institute reported that the attacks appear to be aimed mainly at the servers of web hosting providers. According to Kevin Liston, a handler at the SANS Institute’s Internet Storm Center (ISC), the malware is designed to execute simple distributed denial-of-service (DDoS) commands, but it’s also capable of fetching and executing other threats.

Belgian security consultant Xavier Mertens stumbled upon one of the malicious emails in his personal email account. The email came from an address on mata.com,  a domain for personalized email addresses that’s often abused by attackers, the expert told SecurityWeek via email.

The IP address from which the payload was delivered to Mertens is the same as the one seen by the SANS Institute. The IP (178.254.31.165) is associated with a virtual server hosted at a German hosting company. The server is currently down, Mertens said.

“The thing about Shellshock is that any server running a vulnerable version of bash is vulnerable and can be exploited if an attacker can control something that is set as an SMTP variable. The server doesn’t have to be directly accessible to the public,” Martijn Grooten, editor of Virus Bulletin, told SecurityWeek. “The thing with SMTP is that email sometimes takes various internal routers. For instance, it may arrive at an organisation’s spam filter, which passes it on to a secondary MTA (mail server), which then passes it on to the server used by client machines to retrieve email from.”

“It is not unimaginable that one of these servers uses a bash script that stores, say, the subject line of the email, or the From: address, in a bash variable. If it does and bash hasn’t been patched, then these emails will result in the server execute the command – and, in this case, add the server to a botnet.”