ShellBot: A DDoS Bot targeting poorly managed Linux servers

ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl, which peculiarly uses IRC (Internet Relay Chat) protocol to communicate with the C&C server. Observed in cyberattacks since 2018, it targets Linux-based servers and IoT devices using brute-force attacks, exploits, and social engineering techniques to gain access and control over the system, allowing attackers to steal sensitive data.

After scanning systems that have operational port 22s, threat actors search for systems where the SSH service is active and uses a list of commonly used SSH account credentials to initiate their dictionary attack. Once a system is infected, it can be controlled remotely by the attackers, using the IRC protocol, to launch further attacks or mine cryptocurrency. ShellBot has several variants, including LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK – the first two of which offer a variety of DDoS attack commands using HTTP, TCP, and UDP protocols.

ShellBot attacks are typically targeted towards financial and banking industries, as well as organizations in the retail and hospitality sectors. This is due to the sensitive and valuable data that these industries typically possess, making them lucrative targets for cybercriminals. In addition, the malware has been observed in attacks against government agencies and healthcare organizations.

If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor. Moreover, the threat actor can use various other backdoor features to install additional malware or launch different types of attacks from the compromised server. Recent attacks from the ShellBot malware have been reported globally, including in the United States, Europe, and Asia.

References:

  1. https://thehackernews.com/2023/03/new-shellbot-ddos-malware-targeting.html
  2. https://www.bleepingcomputer.com/news/security/realtek-and-cacti-flaws-now-actively-exploited-by-malware-botnets/
SISA’s Latest
close slider