Shellbot

Malware updated a month ago (2024-09-13T06:17:44.014Z)

Download STIX

Preview STIX

ShellBot is a malicious software (malware) variant that has been actively targeting poorly managed Linux SSH servers. As reported by Hacker News and HackRead in March 2023, this Perl-based DDoS bot deploys different variants to exploit these servers. ShellBot, along with another DDoS malware called Tsunami, are distributed by the same threat actor. The malware is highly customizable, with various versions offering different capabilities and attack methods. Notably, ShellBot uses the IRC protocol for Command & Control (C&C) communication, enabling it to receive commands like executing remote tasks or launching DDoS attacks without needing a custom C&C infrastructure. After gaining access to a system, ShellBot is installed and often achieves persistence by modifying startup scripts or cron jobs. Once installed, it connects to a C&C server via the IRC protocol, enabling attackers to issue commands, steal data, and launch DDoS attacks. ASEC reported on March 13, 2023, that ShellBot was actively targeting Linux SSH servers. By September 12, 2024, samples of ShellBot were found alongside a malware called SUPERSHELL. The attribution of these attacks is challenging, but there is speculation of involvement from Romanian threat actors, possibly linked to the 'Outlaw APT' group. ShellBot exploits vulnerabilities such as the Cacti bug to infect systems. Since January 2023, several malware botnet attacks have sought to spread Moobot and ShellBot through the exploitation of a critical Cacti command injection bug (CVE-2022-46169) and a critical Realtek Jungle SDK remote code execution flaw (CVE-2021-35394). These threat actors are also involved in the development and sale of cyber weapons, an activity that is not very common. Therefore, ensuring adequate vulnerability management and maintaining up-to-date security measures are crucial in preventing ShellBot infections.

Description last updated: 2024-09-13T06:16:12.591Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Perlbot is a possible alias for Shellbot. PerlBot, also known as ShellBot, is a harmful malware developed using the Perl programming language. This Distributed Denial of Service (DDoS) bot is designed to exploit poorly managed Linux SSH servers, primarily through dictionary attacks on weak SSH credentials. It uses the IRC protocol for Comma	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Linux

Ddos

Vulnerability

SSH

Fortiguard

Payload

Backdoor

Botnet

Xmrig

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Modded Perlbot V2 Malware is associated with Shellbot. Modded Perlbot v2 is a new strain of the ShellBot DDoS bot malware that has been identified as part of an attack campaign targeting mismanaged Linux SSH servers. This campaign, which began on March 22, 2023, involves the distribution of three distinct strains of the ShellBot malware: PowerBots Gohac	Unspecified	3
The Moobot Malware is associated with Shellbot. Moobot is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate these systems via suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold dat	is related to	3
The Ddos Pbot v2.0 Malware is associated with Shellbot. On March 22, 2023, mismanaged Linux SSH servers were targeted by a novel attack campaign involving the distribution of three new strains of the ShellBot DDoS bot malware, including PowerBots GohacK, LiGhT's Modded perlbot v2, and DDoS PBot v2.0, as reported by The Hacker News. These attacks were esp	Unspecified	2
The Xmrig Coinminer Malware is associated with Shellbot. XMRig CoinMiner is a type of malware that has been identified as part of a wave of attacks on poorly managed Linux SSH servers. These attacks, often conducted by threat actors installing multiple malware families, have been observed to include other harmful software such as ShellBot, Tsunami, and Ch	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2022-46169 Vulnerability is associated with Shellbot. CVE-2022-46169 is a critical pre-authentication command injection vulnerability discovered in the Cacti network operations framework. This flaw, which existed in all versions of Cacti up to 1.2.22, could be exploited by threat actors to deliver malware, thereby compromising the security of systems u	Unspecified	3
The CVE-2021-35394 Vulnerability is associated with Shellbot. The CVE-2021-35394 vulnerability, a flaw in the software design or implementation of Realtek Jungle SDK, has seen significant exploitation by threat actors. From August to October 2022, the number of attacks attempting to exploit this remote code execution vulnerability accounted for more than 40% o	Unspecified	2

Source Document References

Information about the Shellbot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Contagio	a month ago	2024-09-12 SUPERSHELL + 2023-03-13 SHELLBOT Targeting Linux SSH servers Samples
InfoSecurity-magazine	7 months ago	Research Unearths RUBYCARP’s Multi-Miner Assault on Crypto
CERT-EU	2 years ago	Malware botnets spread through Cacti, Realtek flaws
CERT-EU	8 months ago	Russia-linked APT28 compromised Ubiquiti EdgeRouters to facilitate cyber operations
Securityaffairs	8 months ago	US Gov dismantled the Moobot botnet controlled by Russia-linked APT28
CERT-EU	a year ago	Linux Servers Hacked to Launch DDoS Attacks and Mine Monero Cryptocurrency \| IT Security News
CERT-EU	a year ago	New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks
CERT-EU	2 years ago	Linux SSH servers targeted by novel ShellBot malware variants
CERT-EU	a year ago	Microsoft, SeroxenRAT, Smart Links, ToddyCAT, ShellBot, More News & Aaran Leyland – SWN #333
CERT-EU	a year ago	New Diicot Threat Group Targets SSH Servers with Brute-Force Malware
CERT-EU	a year ago	Linux Servers Hacked to Launch DDoS Attacks and Mine Monero Cryptocurrency
CERT-EU	a year ago	DDoS Malware Distributed Through Compromised Linux SSH Servers
CERT-EU	a year ago	Hackers Attack Linux SSH Servers with Tsunami DDoS Malware
CERT-EU	2 years ago	Links 21/03/2023: JDK 20 and GNOME 43.5
CERT-EU	2 years ago	Impact of 3CX supply chain attack still examined as company admits gaps
CERT-EU	2 years ago	Cacti, Realtek, and IBM Aspera Faspex Vulnerabilities Under Active Exploitation
CERT-EU	a year ago	Beware bad passwords as attackers co-opt Linux servers into cybercrime
CERT-EU	2 years ago	AudienceView cyberattack impacts US, Canadian colleges, universities
CERT-EU	a year ago	S3 Ep141: What was Steve Jobs’s first job?
CERT-EU	2 years ago	Ukraine targeted by novel malware attacks