Cybercriminals are expanding the Linux botnet dubbed “Mayhem” by leveraging the recently discovered vulnerabilities in the GNU Bash shell, according to researchers.
The Mayhem malware, a multipurpose threat targeting Linux and UNIX Web servers, was first analyzed in May by the Malware Must Die research group. In July, researchers at the Russian Internet company Yandex published a detailed paper on the botnet. Based on data from two command and control (C&C) servers, the experts identified roughly 1,400 compromised machines.
Malware Must Die has been monitoring the botnet and found that cybercriminals are currently attempting to expand it with the aid of ShellShock, the set of Bash flaws that can be leveraged to execute arbitrary code on affected servers.
According to researchers, the attackers first scan servers to see if they are vulnerable to ShellShock. When a vulnerable device is found, the Bash bug is exploited to download a malware installer written in Perl. In the past, this installer was a PHP script, Malware Must Die pointed out.
Once the threat is installed on a system, it creates a hidden file system where it stores its components, including the plugins it uses to carry out tasks such as brute-force attacks and data theft.
As of October 11, Malware Must Die had identified a total of 53 IP addresses involved in such attacks, with 25 of them located in the United States. The attacks have been traced back to a total of 23 countries.
“These attacker IPs are the combination between (known) Mayhem bots we monitor and unknown sources (including the suspected possibility of new panels/CNC/bots),” Malware Must Die wrote in a blog post.
“Many of today’s enterprises have adopted public cloud-based services that run on systems that can be infected by Mayhem, but the enterprise has no visibility into whether servers have been patched, no ability to dictate patch schedules, and no visibility into whether exploits of Mayhem have resulted in theft of their data or user credentials,” Rich Campagna, VP of products at Bitglass, told SecurityWeek. “The operational benefits of moving to the public cloud are not without tradeoffs for the enterprise, specifically loss of security and visibility. Enterprises must keep in mind that outsourcing an application to the cloud does not mean that they have outsourced responsibility for protection of their data.”

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
