Cyberattackers are focusing on Linux SSH servers with the ShellBot malware, they usually have a brand new technique for hiding their exercise: utilizing hexadecimal IP (Hex IP) addresses to evade behavior-based detection.
In line with researchers on the AhnLab Safety Emergency Response Middle (ASEC), the menace actors are translating the acquainted “dot-decimal” command-and-control URL formation (i.e., hxxp://39.99.218[.]78,) right into a Hex IP deal with format (corresponding to hxxp://0x2763da4e/), which most URL-based detection signatures will not parse or flag.
“IP addresses may be expressed in codecs aside from the dot-decimal notation, together with decimal and hexadecimal notations, and are usually suitable with broadly used Internet browsers,” in keeping with the ASEC advisory on the Hex IP assaults. “As a result of utilization of curl for the obtain and its capacity to help hexadecimal similar to Internet browsers, ShellBot may be downloaded efficiently on a Linux system surroundings and executed via Perl.”
ShellBot, aka PerlBot, is a well known botnet that makes use of dictionary assaults to compromise servers which have weak SSH credentials. From there, the server endpoint is marshalled into motion to ship distributed denial-of-service (DDoS) assaults or drop payloads like cryptominers on contaminated machines.
“If ShellBot is put in, Linux servers can be utilized … for DDoS assaults in opposition to particular targets after receiving a command from the menace actor,” ASEC defined. “Furthermore, the menace actor may use numerous different backdoor options to put in further malware or launch various kinds of assaults from the compromised server.”
To guard their organizations from ShellBot assaults, directors ought to merely up their password hygiene sport, utilizing robust passwords and ensuring to rotate their hardened credentials regularly.
