Cyberattackers are focusing on Linux SSH servers with the ShellBot malware, and so they have a brand new methodology for hiding their exercise: utilizing hexadecimal IP (Hex IP) addresses to evade behavior-based detection.
Based on researchers on the AhnLab Safety Emergency Response Heart (ASEC), the risk actors are translating the acquainted “dot-decimal” command-and-control URL formation (i.e., hxxp://39.99.218[.]78,) right into a Hex IP tackle format (comparable to hxxp://0x2763da4e/), which most URL-based detection signatures will not parse or flag.
“IP addresses may be expressed in codecs apart from the dot-decimal notation, together with decimal and hexadecimal notations, and are typically suitable with broadly used Net browsers,” in response to the ASEC advisory on the Hex IP assaults. “As a result of utilization of curl for the obtain and its capacity to assist hexadecimal identical to Net browsers, ShellBot may be downloaded efficiently on a Linux system setting and executed by way of Perl.”
ShellBot, aka PerlBot, is a well known botnet that makes use of dictionary assaults to compromise servers which have weak SSH credentials. From there, the server endpoint is marshalled into motion to ship distributed denial-of-service (DDoS) assaults or drop payloads like cryptominers on contaminated machines.
“If ShellBot is put in, Linux servers can be utilized … for DDoS assaults towards particular targets after receiving a command from the risk actor,” ASEC defined. “Furthermore, the risk actor might use numerous different backdoor options to put in further malware or launch several types of assaults from the compromised server.”
To guard their organizations from ShellBot assaults, directors ought to merely up their password hygiene sport, utilizing sturdy passwords and ensuring to rotate their hardened credentials frequently.
