Experts warn on Mayhem shellshock attacks worldwide

The experts at The Malware Must Die detected numerous attack worldwide exploiting the Bash Bug flaw to spread the Mayhem botnet.

The researchers at Malware Must Die published a report warning of Mayhem Shellshock attack, the experts explained to have detected a significant number of Linux and UNIX systems infected by several IP addresses belonging to the Mayhem botnet.

The Malware Must Die report includes the list of IP addresses belonging to the botnet scanning for vulnerable machines, as well as the IP address of the machine used to serve the Mayhem installer, and the majority of these IP addresses are in the United States.

“If Mayhem botnet uses shellshock, and this is a very serious threat, please work and cooperate together in good coordination in order to stop the source of the threat,” the report said.

But let’s do a step back … in July a security team at Russian Internet firm Yandex has identified a botnet based on a malware dubbed Mayhem which was targeting Linux and FreeBSD web servers.

Mayhem isn’t unknown to the security community, it was first discovered in April 2014, and according to the experts at Yandex, and it is linked to the “Fort Disco” brute-force campaign uncovered by Arbor Networks in 2013 that compromised more than 6000 websites based on popular CMSs. Mayhem is considered a dangerous cyber threat, it has a modular structure which is able to load numerous payload to compromise targeted systems.

Mayhem bots try to compromise the targeted servers using a number of plug-ins specifically designed, once infected the victim it deploys a backdoor, though a PHP script that drops a malicious payload and wait for instructions from a command server.

The C&C server drops eight plug-ins which allow Mayhem bots to perform its activities like data syphoning, brute-force password cracking and searching for other servers vulnerable to remote file inclusion.

Unfortunately, cyber criminals have begun to scan the internet searching for machines vulnerable to to the Bash Bug flaw and exploit the vulnerability to serve the Mayhem malware.

Once the a scan detects a vulnerable paydirt, a new remote installer written in Perl, the malware was dropped onto vulnerable machines.

“The attack wave of “ELF .so malware library”, an installer of a known botnet called as “Mayhem” just hit all of us. The attack came from various IP of their botnet into many NIX services, utilizing the shellshock web vulnerability scan method to download the remote installer written in Perl (replacing the previous PHP base infection). It is obviously a new different vector for Mayhem infection, we start calling it as Mayhem Shellshock version of attack.” reported the report from The Malware Must Die.

The BashBug is very insidious due to the impressive number of vulnerable machines and IoT devices exposed on the Internet, it is necessary to protect vulnerable devices applying the necessary patches and protecting the network from such type of scanning activities, many other botnet lile Mayhem could be involved in further similar attacks.

Pierluigi Paganini

(Security Affairs –  Mayhem botnet, BashBug)