Posted on March 22, 2023 at 5:52 PM
Malware targets poorly managed Linux SSH servers
Poorly managed Linux SSH servers are now targeted as part of a new hacking campaign. This hacking campaign now deploys multiple variants of malware known as ShellBot.
Malware targets mismanaged Linux SSH servers
The AhnLab Security Emergency Response Centre (ASEC) has released a report saying that the ShellBot is used to launch distributed denial-of-service (DDoS) attacks. The ShellBot, also known as PerlBot, was created in Perl.
This bot also deploys the IRC protocol to communicate with the C&C server. The ShellBot has been installed on multiple servers that do not have strong credentials that will safeguard their security and ensure that threat actors cannot infiltrate the systems.
Multiple SSH credentials are used to launch a dictionary attack that will breach the server. The credentials are later used to deploy the payload. The threat actors later use the Internet Relay Chat (IRC) protocol to communicate using a remote server.
“The IRC Bot installed on the infected system accesses an IRC server’s channel designated by the threat actor according to the IRC protocol, after which it transmits stolen information to the specified channel, or when the attacker enters a particular string, received this as a command and performs the corresponding malicious behavior,” the report said.
The malicious behavior also includes the ability of the hackers to issue commands that will allow the ShellBot to conduct DDoS attacks. The hacker also exfiltrates the information stolen from the target victims.
According to the ASEC, three multiple ShellBot versions were identified in this case of malicious activity. These versions include LiGHT’s Model perlbot v2, DDoS PBot v2.0, and PowerBots (C) Gohack. The first two versions provide a variety of DDoS attack commands that use the HTTP, TCP, and UDP protocols.
PowerBots come with increased backdoor-like features that will offer reverse shell access. The PowerBots will also upload arbitrary files from the compromised host. The report also comes around three months after ShellBot was used to conduct hacking attacks that targeted Linux servers.
The malware in question is also used in mining cryptocurrencies from the victim’s device without the approval or knowledge of the ones mining these cryptocurrencies. The malware is distributed using crypto miners through a shell script compiler.
The report by the ASEC noted that if the ShellBot has been installed, the Linux servers will be used as bots that will be used to conduct a DDoS campaign. DDoS attacks usually affect specific targets after they receive a command from the hacker.
The ASEC added that the threat actor could have also used multiple backdoor features to install additional malware on the target device. The malware could have also been used to launch multiple attacks originating from the compromised server.
Microsoft reports an increase in DDoS attacks
The ASEC report comes after Microsoft reported a significant increase in DDoS attacks targeting healthcare institutions that use Azure services. The number of attacks targeting these institutions has increased significantly from between 10 and 20 attacks in November last year to between 40 and 60 attacks in February this year.
An advisory by the US Cybersecurity and Infrastructure Security Agency (CISA) warned organizations about increased hacking attacks. CISA even partnered with the FBI to give organizations a response strategy that will help them avoid and mitigate these attacks if they happen.
US authorities have singled out the KillNet hacking group. KillNet is a pro-Russian hacking group launching hacking attacks targeting Western countries. The hacking group has also targeted companies, governments, and the healthcare sector. The US Department of Health and Human Services (DHHS) also analyzed an analyst note on the threat posed by KillNet to the health sector.
The KillNet hacking group relies on DDoS attacks to conduct its hacking campaigns. DDoS campaigns are easy to launch, ranked as a low-cost strategy for disrupting online services and websites. Their efficiency makes them a preferred hacking strategy by hacktivist groups. Moreover, DDoS attacks can also be launched anonymously, making them difficult to monitor.
The Microsoft report added that “by using DDoS scripts and stressors, recruiting botnets, and utilizing spoofed attack sources, KillNet could easily disrupt the online presence of websites and apps. KillNet attempted to evade DDoS mitigation strategies by changing their attack vectors, such as utilizing different layer 4 and layer 7 attack techniques and increasing the number of sources participating in the attack campaign.”