Poorly managed Linux servers are the target of new ShellBot DDoS malware variants.

A recent campaign that uses various varieties of the virus named ShellBot targets poorly maintained Linux SSH servers.

In a study, AhnLab Security Emergency response Center (ASEC) stated that ShellBot, also known as PerlBot, is a DDoS Bot virus created in Perl and often uses IRC protocol to connect with the C&C server.

Threat actors use scanner malware to find computers that have SSH port 22 open before installing ShellBot on servers with weak passwords.

A dictionary attack is launched using a list of known SSH credentials to compromise the server and release the payload, and it then makes use of the Internet Relay Chat (IRC) protocol to connect to a remote server.

This includes ShellBot’s capacity to take instructions and execute DDoS assaults while also leaking information that has been collected.

The first two of these ShellBot variants, LiGhT’s Modded Perlbot v2 and DDoS PBot v2.0, as well as PowerBots (C) GohacK, give a variety of DDoS attack commands using HTTP, TCP, and UDP protocols, according to ASEC.

But, PowerBots has more backdoor-like features that allow it to grant reverse shell access and upload any file from the compromised server.

Over three months after ShellBot was used in assaults against Linux servers and cryptocurrency miners were spread via a shell script compiler, the findings were made.

According to ASEC, Linux machines that have ShellBot installed may be used as DDoS Bots to launch DDoS attacks against certain targets in response to commands from threat actors.
Additionally, the threat actor might employ a number of additional backdoor features to add new malware or launch various types of assaults from the hacked server.

The change coincides with Microsoft’s disclosure of a progressive rise in DDoS assaults against Azure-hosted healthcare companies, from 10 to 20 in November 2022 to 40 to 60 per day in February 2023.

Share now