Pierluigi Paganini
March 21, 2023
AhnLab Security Emergency response Center (ASEC) discovered a new variant of the ShellBot malware that was employed in a campaign that targets poorly managed Linux SSH servers.
The ShellBot, also known as PerlBot, is a Perl-based DDoS bot that uses IRC protocol for C2 communications.
The ShellBot performs SSH bruteforce attacks on servers that have port 22 open, it uses a dictionary containing a list of known SSH credentials.
“The ShellBot malware strains that are going to be covered in this post are believed to have been installed after threat actors used account credentials that have been obtained through the use of scanners and SSH BruteForce malware on target systems.” reads the ASEC’s report. “After scanning systems that have operational port 22s, threat actors search for systems where the SSH service is active and uses a list of commonly used SSH account credentials to initiate their dictionary attack.”
Below is a list of the account credentials used by ShellBot operators to compromise the target servers:
| User | Password |
|---|---|
| deploy | password |
| hadoop | hadoop |
| oracle | oracle |
| root | 11111 |
| root | Passw0rd |
| ttx | ttx2011 |
| ubnt | ubnt |
The researchers categorized the ShellBot into three different groups since threat actors can create their own versions: LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK.
LiGhT’s Modded perlbot v2 and DDoS PBot v2.0 supports multiple DDoS attack commands using HTTP, TCP, and UDP protocols. The PowerBots (C) GohacK supports backdoor features, including reverse shell and file downloading capabilities.
The researchers recommend using strong passwords for admin accounts and changing them periodically to protect the Linux server from brute force attacks and dictionary attacks. They also recommend keeping the servers up to date and using security programs.
“If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor. Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ShellBot)
