The risk actors behind ShellBot are leveraging IP addresses reworked into its hexadecimal notation to infiltrate poorly managed Linux SSH servers and deploy the DDoS malware.
“The general movement stays the identical, however the obtain URL utilized by the risk actor to put in ShellBot has modified from an everyday IP handle to a hexadecimal worth,” the AhnLab Safety Emergency response Heart (ASEC) stated in a brand new report revealed right this moment.
ShellBot, additionally identified by the identify PerlBot, is identified to breach servers which have weak SSH credentials by the use of a dictionary assault, with the malware used as a conduit to stage DDoS assaults and ship cryptocurrency miners.
Developed in Perl, the malware makes use of the IRC protocol to speak with a command-and-control (C2) server.
The most recent set of noticed assaults involving ShellBot has been discovered to put in the malware utilizing hexadecimal IP addresses – hxxp://0x2763da4e/ which corresponds to 39.99.218[.]78 – in what’s seen as an try to evade URL-based detection signatures.
“Because of the utilization of curl for the obtain and its means to assist hexadecimal identical to net browsers, ShellBot might be downloaded efficiently on a Linux system setting and executed by means of Perl,” ASEC stated.
The event is an indication that ShellBot continues to witness regular utilization to launch assaults in opposition to Linux techniques.
With ShellBot able to getting used to put in further malware or launch various kinds of assaults from the compromised server, it is really helpful that customers swap to sturdy passwords and periodically change them to withstand brute-force and dictionary assaults.
The disclosure additionally comes as ASEC revealed that attackers are weaponizing irregular certificates with unusually lengthy strings for Topic Identify and Issuer Identify fields in a bid to distribute data stealer malware resembling Lumma Stealer and a variant of RedLine Stealer often called RecordBreaker.
“All these malware are distributed by way of malicious pages which are simply accessible by means of serps (search engine marketing poisoning), posing a risk to a variety of unspecified customers,” ASEC stated. “These malicious pages primarily use key phrases associated to unlawful packages resembling serials, keygens, and cracks.”
