A new malware campaign called ShellBot is targeting poorly managed Linux SSH servers. ShellBot is a DDoS bot malware that uses IRC protocol to communicate with a C&C server.
It is installed on servers with weak credentials, using a dictionary attack to breach the server after identifying open SSH port 22 systems with scanner malware.
Once installed, ShellBot can receive commands to carry out DDoS attacks and exfiltrate information.
AhnLab Security Emergency response Center (ASEC) identified three versions of ShellBot that offer DDoS attack commands using HTTP, TCP, and UDP protocols. The PowerBots version has backdoor-like capabilities that allow reverse shell access and uploading arbitrary files from the compromised host.
ShellBot was also employed in attacks against Linux servers distributing cryptocurrency miners via a shell script compiler.
Linux servers with ShellBot installed can be used as DDoS bots for targeted attacks. ASEC warns that threat actors can use the malware‘s backdoor features to install additional malware or launch different types of attacks. Microsoft has also reported a rise in DDoS attacks targeting healthcare organizations hosted in Azure.
It is essential to manage Linux SSH servers properly and use strong credentials to avoid falling victim to these attacks.
