Perlbot

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
PerlBot, also known as ShellBot, is a harmful malware developed using the Perl programming language. This Distributed Denial of Service (DDoS) bot is designed to exploit poorly managed Linux SSH servers, primarily through dictionary attacks on weak SSH credentials. It uses the IRC protocol for Command and Control (C2) communications, enabling it to steal information, disrupt operations, and potentially hold data hostage. The malware can be delivered to systems via suspicious downloads, emails, or websites without the user's knowledge. Researchers from AhnLab Security Emergency Response Center (ASEC) have categorized PerlBot into three distinct groups: LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK. These versions support multiple DDoS attack commands using HTTP, TCP, and UDP protocols. In March 2023, ASEC disclosed that mismanaged Linux SSH servers were being targeted by these new strains of ShellBot malware, leading to a significant increase in cyberattacks. The abuse of vulnerabilities such as CVE-2022-46169 and CVE-2021-35394 has been observed in delivering PerlBot, according to Fortinet FortiGuard Labs. The high CVSS scores of these vulnerabilities (9.8 each) indicate their severity and potential impact. To mitigate the risks associated with PerlBot, organizations are advised to manage their Linux SSH servers properly, keep software up-to-date, and implement robust security measures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Shellbot
2
ShellBot is a malicious software (malware) that has been targeting poorly managed Linux SSH servers. The malware, which was detected in multiple variants, is primarily being used to carry out distributed denial-of-service (DDoS) attacks. ShellBot exploits the Cacti bug and uses it as a primary lever
Light's Modded Perlbot V2
1
None
Ddos Pbot v2.0
1
On March 22, 2023, mismanaged Linux SSH servers were targeted by a novel attack campaign involving the distribution of three new strains of the ShellBot DDoS bot malware, including PowerBots GohacK, LiGhT's Modded perlbot v2, and DDoS PBot v2.0, as reported by The Hacker News. These attacks were esp
Light’s Modded Perlbot V2
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ddos
Malware
Linux
Fortiguard
Botnet
SSH
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Modded Perlbot V2Unspecified
1
Modded perlbot v2 is a strain of the ShellBot DDoS bot malware, part of a new attack campaign targeting mismanaged Linux SSH servers that was uncovered on March 22, 2023. This campaign involved three different strains: PowerBots GohacK, LiGhT's Modded perlbot v2, and DDoS PBot v2.0. These malicious
MoobotUnspecified
1
Moobot is a malicious software (malware) that has been causing significant disruption in the digital world. The malware, which can infiltrate systems through various methods such as suspicious downloads, emails, or websites, is known for its capability to steal personal information, disrupt operatio
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2022-46169Unspecified
1
CVE-2022-46169 is a critical pre-authentication command injection vulnerability discovered in the Cacti network operations framework. This flaw, which existed in all versions of Cacti up to 1.2.22, could be exploited by threat actors to deliver malware, thereby compromising the security of systems u
CVE-2021-35394Unspecified
1
The CVE-2021-35394 vulnerability, a flaw in the software design or implementation of Realtek Jungle SDK, has seen significant exploitation by threat actors. From August to October 2022, the number of attacks attempting to exploit this remote code execution vulnerability accounted for more than 40% o
Source Document References
Information about the Perlbot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
ShellBot Cracks Linux SSH Servers, Debuts New Evasion Tactic
Securityaffairs
a year ago
Moobot botnet spreads by targeting Cacti and RealTek flaws
CERT-EU
a year ago
Shell DDoS Malware Attacks Poorly Managed Linux SSH Servers
CERT-EU
a year ago
Links 21/03/2023: JDK 20 and GNOME 43.5
CERT-EU
a year ago
Cacti, Realtek, and IBM Aspera Faspex Vulnerabilities Under Active Exploitation
CERT-EU
a year ago
Beware bad passwords as attackers co-opt Linux servers into cybercrime
CERT-EU
a year ago
New .NET developer-targeted attack leverages malicious NuGet packages
Securityaffairs
a year ago
New ShellBot bot targets poorly managed Linux SSH Servers