Shellbot

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
ShellBot is a malicious software (malware) that has been targeting poorly managed Linux SSH servers. The malware, which was detected in multiple variants, is primarily being used to carry out distributed denial-of-service (DDoS) attacks. ShellBot exploits the Cacti bug and uses it as a primary leverage point for its operations. Additionally, it has been linked with other DDoS malware such as Tsunami. The threat actors behind this campaign are suspected to be Romanian, possibly having connections with the 'Outlaw APT' group and others who use Perl Shellbot. They are also involved in the development and sale of cyber weapons. Since January 2023, there have been numerous botnet attacks attempting to spread ShellBot and Moobot malware by exploiting critical vulnerabilities like the Cacti command injection bug (CVE-2022-46169) and the Realtek Jungle SDK remote code execution flaw (CVE-2021-35394). In April 2023, FortiGuard Labs researchers observed a hacking campaign specifically targeting these vulnerabilities to propagate ShellBot and Moobot malware. These attacks were not limited to just DDoS activities but also included unauthorized cryptocurrency mining. The hackers have been found to brute-force Linux SSH servers to deploy their malware, including ShellBot, Tsunami DDoS bot, log cleaners, privilege escalation tools, and an XMRig (Monero) coin miner. Once installed, ShellBot enables the compromised Linux servers to be used as DDoS bots for attacks against specific targets. It can also install additional malware or launch various types of attacks from the compromised server. The attackers typically initiate a dictionary attack on systems with open SSH port 22 using various SSH credentials, followed by payload deployment and the use of the Internet Relay Chat protocol for command-and-control server communications.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Moobot
3
Moobot is a malicious software (malware) that has been causing significant disruption in the digital world. The malware, which can infiltrate systems through various methods such as suspicious downloads, emails, or websites, is known for its capability to steal personal information, disrupt operatio
Tsunami
2
The "Tsunami" malware, a malicious software designed to exploit and damage computer systems, has caused significant cybersecurity disruptions globally. This malware, whose variants include xmrigDeamon, Bioset, dns3, xmrigMiner, docker-update, dns, 64[watchdogd], 64bioset, 64tshd, armbioset, armdns,
Perlbot
2
PerlBot, also known as ShellBot, is a harmful malware developed using the Perl programming language. This Distributed Denial of Service (DDoS) bot is designed to exploit poorly managed Linux SSH servers, primarily through dictionary attacks on weak SSH credentials. It uses the IRC protocol for Comma
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Fortiguard
Malware
Vulnerability
Linux
Payload
Ddos
Backdoor
Botnet
SSH
Curl
Downloader
Exploit
Apt
Bot
Romanian
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Xmrig CoinminerUnspecified
2
XMRig CoinMiner is a type of malware that has been identified as part of a wave of attacks on poorly managed Linux SSH servers. These attacks, often conducted by threat actors installing multiple malware families, have been observed to include other harmful software such as ShellBot, Tsunami, and Ch
XmrigUnspecified
2
XMRig is a type of malware that is particularly harmful to computer systems and devices. It infiltrates the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for
Modded Perlbot V2Unspecified
2
Modded perlbot v2 is a strain of the ShellBot DDoS bot malware, part of a new attack campaign targeting mismanaged Linux SSH servers that was uncovered on March 22, 2023. This campaign involved three different strains: PowerBots GohacK, LiGhT's Modded perlbot v2, and DDoS PBot v2.0. These malicious
Ddos Pbot v2.0Unspecified
2
On March 22, 2023, mismanaged Linux SSH servers were targeted by a novel attack campaign involving the distribution of three new strains of the ShellBot DDoS bot malware, including PowerBots GohacK, LiGhT's Modded perlbot v2, and DDoS PBot v2.0, as reported by The Hacker News. These attacks were esp
Chinaz Ddos BotUnspecified
1
None
KaitenUnspecified
1
Kaiten, also known as Tsunami, is a malware variant that operates as a Distributed Denial of Service (DDoS) bot and an IRC bot. It targets vulnerable Internet of Things (IoT) devices and poorly protected Linux SSH servers, often being distributed alongside other DDoS bots like Mirai and Gafgyt. The
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ToddycatUnspecified
1
ToddyCat is a sophisticated Advanced Persistent Threat (APT) actor, likely Chinese-speaking, that has been active since at least December 2020. It primarily operates in Asia, targeting government entities in Malaysia, Thailand, and Pakistan. In 2022, Kaspersky reported finding ToddyCat actors using
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2022-46169Unspecified
3
CVE-2022-46169 is a critical pre-authentication command injection vulnerability discovered in the Cacti network operations framework. This flaw, which existed in all versions of Cacti up to 1.2.22, could be exploited by threat actors to deliver malware, thereby compromising the security of systems u
CVE-2021-35394Unspecified
2
The CVE-2021-35394 vulnerability, a flaw in the software design or implementation of Realtek Jungle SDK, has seen significant exploitation by threat actors. From August to October 2022, the number of attacks attempting to exploit this remote code execution vulnerability accounted for more than 40% o
Shellbot XmrigUnspecified
1
None
Source Document References
Information about the Shellbot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
InfoSecurity-magazine
3 months ago
Research Unearths RUBYCARP’s Multi-Miner Assault on Crypto
CERT-EU
a year ago
Malware botnets spread through Cacti, Realtek flaws
CERT-EU
5 months ago
Russia-linked APT28 compromised Ubiquiti EdgeRouters to facilitate cyber operations
Securityaffairs
5 months ago
US Gov dismantled the Moobot botnet controlled by Russia-linked APT28
CERT-EU
a year ago
Linux Servers Hacked to Launch DDoS Attacks and Mine Monero Cryptocurrency | IT Security News
CERT-EU
a year ago
New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks
CERT-EU
a year ago
Linux SSH servers targeted by novel ShellBot malware variants
CERT-EU
9 months ago
Microsoft, SeroxenRAT, Smart Links, ToddyCAT, ShellBot, More News & Aaran Leyland – SWN #333
CERT-EU
a year ago
New Diicot Threat Group Targets SSH Servers with Brute-Force Malware
CERT-EU
a year ago
Linux Servers Hacked to Launch DDoS Attacks and Mine Monero Cryptocurrency
CERT-EU
a year ago
DDoS Malware Distributed Through Compromised Linux SSH Servers
CERT-EU
a year ago
Hackers Attack Linux SSH Servers with Tsunami DDoS Malware
CERT-EU
a year ago
Links 21/03/2023: JDK 20 and GNOME 43.5
CERT-EU
a year ago
Impact of 3CX supply chain attack still examined as company admits gaps
CERT-EU
a year ago
Cacti, Realtek, and IBM Aspera Faspex Vulnerabilities Under Active Exploitation
CERT-EU
a year ago
Beware bad passwords as attackers co-opt Linux servers into cybercrime
CERT-EU
a year ago
AudienceView cyberattack impacts US, Canadian colleges, universities
CERT-EU
a year ago
S3 Ep141: What was Steve Jobs’s first job?
CERT-EU
a year ago
Ukraine targeted by novel malware attacks
Securityaffairs
7 months ago
Experts analyzed attacks against poorly managed Linux SSH servers