Shellbot Botnet Targets IoT devices and Linux servers

Security experts at Trend Micro have spotted an IRC bot dubbed Shellbot that was built using Perl Shellbot.

The malware was distributed by a threat group called Outlaw, it was able to target Linux and Android devices, and also Windows systems.

“We uncovered an operation of a hacking group, which we’re naming “Outlaw” (translation derived from the Romanian word haiduc, the hacking tool the group primarily uses), involving the use of an IRC bot built with the help of Perl Shellbot.” reads the analysis published by TrendMicro.

“The group distributes the bot by exploiting a common command injection vulnerability on internet of things (IoT) devices and Linux servers. Further research indicates that the threat can also affect Windows-based environments and even Android devices.”

In recent attacks, hackers compromised FTP servers of a Japanese art institution and a Bangladeshi government site. The attackers linked compromised servers to a high availability cluster to host an IRC bouncer and control the botnet.

The bot was previously distributed via an exploit targeting the ShellShock flaw, in October experts from  IBM observed the bot being spread through the Drupalgeddon2 vulnerability,

In the last series of attacks analyzed by Trend Micro, threat actors leveraged previously brute-forced or compromised hosts to distribute the threat and target Ubuntu and Android devices.

The analysis of command and control (C&C) traffic allowed the security researchers finding the IRC channels’ information and discovered that at the first infection 142 hosts were present in the IRC channel.

The Shellbot backdoor is controlled by the IRC channel’s administrator that can instruct it to perform various activities, including a port scan, several types of distributed denial of service (DDoS), download a file, get information about the infected system.

The attack chain starts with the malware running a command on the target, to verify that it accepts commands from the command-line interface (CLI). The malicious code changes the working directory to “/tmp” and downloads a payload and run it with the Perl interpreter. The payload is removed in the final step and no trace remains on the attacked system.

“During the traffic monitoring, several identities such as luci, lucian, dragos, mazy, hydra, and poseidon were spotted in IRC communication channels.”

“These identities were also found as usernames on a compromised Japanese server. This server seemed to have a certain importance as it was also used to distribute an early version of this N3-Shellbot.”

Researchers were able to get downloads of the files that the threat actors used. The experts used the credentials from one of the commands injected into the honeypots, they noticed the files’ contents often changed on the server and modification, deletion and addition of files mostly happened during daytime in Central European Time/CET.

Further details were reported in the analysis published by TrendMicro.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Shellbot, bot)

[adrotate banner=”5″]

[adrotate banner=”13″]