A new campaign targeting poorly managed Linux SSH servers has been identified, deploying various strains of malware called ShellBot. The AhnLab Security Emergency Response Center (ASEC) reported that ShellBot, also known as PerlBot, is a DDoS bot malware developed in Perl, which typically uses the IRC protocol for communication with its C&C server.
According to ASEC, the malware is installed on servers with weak credentials by threat actors who use scanner malware to locate systems with open SSH port 22. They then employ a dictionary attack, utilizing a list of known SSH credentials to infiltrate the server and deploy the payload. Once installed, ShellBot uses the Internet Relay Chat (IRC) protocol to communicate with a remote server, enabling it to receive commands for DDoS attacks and data exfiltration.
The researchers identified three distinct versions of ShellBot: LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK. The first two versions provide a range of DDoS attack commands using HTTP, TCP, and UDP protocols. PowerBots, however, feature more backdoor-like capabilities, allowing reverse shell access and the uploading of arbitrary files from the compromised host.
This discovery follows a series of attacks three months ago, which utilized ShellBot to target Linux servers and distribute cryptocurrency miners through a shell script compiler. ASEC warned that when ShellBot is installed, Linux servers can be commandeered for DDoS attacks against specific targets at the threat actor’s command. Additionally, threat actors can exploit various backdoor features to install further malware or launch different attack types from the compromised server.
This development coincides with Microsoft’s disclosure of a steady rise in DDoS attacks aimed at healthcare organizations hosted on Azure, with daily attacks surging from 10-20 in November 2022 to 40-60 in February 2023.