Description

AhnLab Security Emergency response Center (ASEC) recently found a new malicious campaign that targeted poorly managed Linux SSH servers with different variants of ShellBot malware. ShellBot, also known as PerlBot, is a DDoS Bot malware written in Perl that communicates with the C&C server over the IRC protocol and it is an old malware used by threat actors to launch attacks against Linux systems for many years. As per researchers, initially, threat actors use scanner malware that verifies whether the system has SSH port 22 open or not, if it is open, the ShellBot malware is installed on the servers that have weak credentials. This includes the ability to receive commands that allows ShellBot to perform DDoS attacks and exfiltrate harvested information. Further, the three different malware variants found in the attacks are 'LiGhT's Modded perlbot v2' and 'DDoS PBot v2.0', and 'PowerBots (C) GohacK'. The first two variants allow threat actors to perform a variety of DDoS attack commands using HTTP, TCP, and UDP protocols. The third variant 'PowerBots (C) GohacK' comes with more backdoor-like capabilities to allow reverse shell access and upload arbitrary files from the compromised victim systems. Additionally, once ShellBot malware is installed on the system, the servers can be used as DDoS Bots for DDoS attacks, and its backdoor feature can be used by threat actors to install different malware to launch different attacks using the compromised server.