The individuals responsible for ShellBot use IP addresses in hexadecimal notation to gain access to poorly managed Linux SSH servers and implement the DDoS malware.
According to a recent report from the AhnLab Security Emergency Response Center (ASEC), the general process remains unchanged, but the download URL used by these threat actors to install ShellBot has shifted from a regular IP address to a hexadecimal value.
ShellBot, also known as PerlBot, is notorious for infiltrating servers with weak SSH credentials through dictionary attacks. The malware serves as a conduit for executing DDoS attacks and deploying cryptocurrency miners.
This malicious software, encoded in Perl, uses the IRC protocol to communicate with a Command-and-Control (C2) server.
In the recent series of observed ShellBot attacks, the malware is installed using hexadecimal IP addresses, for example, hxxp://0x2763da4e/, which corresponds to 39.99.218[.]78. This tactic appears to be an attempt to evade URL-based detection signatures.
ASEC found that due to the use of the “curl” tool for downloading, which supports hexadecimal values just like web browsers, ShellBot can be successfully downloaded on a Linux system and executed via Perl.
This development underscores that ShellBot continues to be a popular choice for attacks against Linux systems.
Because of ShellBot’s ability to install additional malware or execute various types of attacks from the compromised server, it is strongly recommended to use strong passwords and regularly update them to resist brute force and dictionary attacks.
ASEC also revealed that attackers are using unusual certificates with exceptionally long character strings for the “Subject Name” and “Issuer Name” fields to distribute information-stealing malware like Lumma Stealer and a variant of RedLine Stealer called RecordBreaker.
“This type of malware is distributed through malicious sites easily accessible through search engines (SEO poisoning) and poses a threat to a wide range of unsuspecting users,” ASEC warned. “These malicious sites primarily use keywords related to illegal software such as serial numbers, keygens, and cracks.”