Poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of a malware called ShellBot.
“ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server,” AhnLab Security Emergency response Center (ASEC) said in a report.
ShellBot is installed on servers that have weak credentials, but only after threat actors make use of scanner malware to identify systems that have SSH port 22 open.
A list of known SSH credentials is used to initiate a dictionary attack to breach the server and deploy the payload, after which it uses the Internet Relay Chat (IRC) protocol to communicate with a remote server.
This encompasses the ability to receive commands that allows ShellBot to carry out DDoS attacks and exfiltrate harvested information.
ASEC said it identified three different ShellBot versions – LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK – the first two of which offer a variety of DDoS attack commands using HTTP, TCP, and UDP protocols.
PowerBots, on the other hand, comes with more backdoor-like capabilities to grant reverse shell access and upload arbitrary files from the compromised host.
The findings come nearly three months after ShellBot was employed in attacks aimed at Linux servers that also distributed cryptocurrency miners via a shell script compiler.
“If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor,” ASEC said. “Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server.”
The development also comes as Microsoft revealed a gradual increase in the number of DDoS attacks targeting healthcare organizations hosted in Azure, surging from 10-20 attacks in November 2022 to 40-60 attacks daily in February 2023.