Shellbot

Malware updated 4 months ago (2024-05-04T16:48:26.237Z)

Download STIX

Preview STIX

ShellBot is a malicious software (malware) that has been targeting poorly managed Linux SSH servers. The malware, which was detected in multiple variants, is primarily being used to carry out distributed denial-of-service (DDoS) attacks. ShellBot exploits the Cacti bug and uses it as a primary leverage point for its operations. Additionally, it has been linked with other DDoS malware such as Tsunami. The threat actors behind this campaign are suspected to be Romanian, possibly having connections with the 'Outlaw APT' group and others who use Perl Shellbot. They are also involved in the development and sale of cyber weapons. Since January 2023, there have been numerous botnet attacks attempting to spread ShellBot and Moobot malware by exploiting critical vulnerabilities like the Cacti command injection bug (CVE-2022-46169) and the Realtek Jungle SDK remote code execution flaw (CVE-2021-35394). In April 2023, FortiGuard Labs researchers observed a hacking campaign specifically targeting these vulnerabilities to propagate ShellBot and Moobot malware. These attacks were not limited to just DDoS activities but also included unauthorized cryptocurrency mining. The hackers have been found to brute-force Linux SSH servers to deploy their malware, including ShellBot, Tsunami DDoS bot, log cleaners, privilege escalation tools, and an XMRig (Monero) coin miner. Once installed, ShellBot enables the compromised Linux servers to be used as DDoS bots for attacks against specific targets. It can also install additional malware or launch various types of attacks from the compromised server. The attackers typically initiate a dictionary attack on systems with open SSH port 22 using various SSH credentials, followed by payload deployment and the use of the Internet Relay Chat protocol for command-and-control server communications.

Description last updated: 2024-04-09T15:15:57.355Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Moobot	3	Moobot is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate these systems via suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold dat
Tsunami	2	The "Tsunami" malware, a malicious software designed to exploit and damage computer systems, has caused significant cybersecurity disruptions globally. This malware, whose variants include xmrigDeamon, Bioset, dns3, xmrigMiner, docker-update, dns, 64[watchdogd], 64bioset, 64tshd, armbioset, armdns,
Perlbot	2	PerlBot, also known as ShellBot, is a harmful malware developed using the Perl programming language. This Distributed Denial of Service (DDoS) bot is designed to exploit poorly managed Linux SSH servers, primarily through dictionary attacks on weak SSH credentials. It uses the IRC protocol for Comma

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Fortiguard

Malware

Vulnerability

Ddos

Payload

Backdoor

Botnet

SSH

Linux

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Modded Perlbot V2	Unspecified	2	Modded perlbot v2 is a strain of the ShellBot DDoS bot malware, part of a new attack campaign targeting mismanaged Linux SSH servers that was uncovered on March 22, 2023. This campaign involved three different strains: PowerBots GohacK, LiGhT's Modded perlbot v2, and DDoS PBot v2.0. These malicious
Ddos Pbot v2.0	Unspecified	2	On March 22, 2023, mismanaged Linux SSH servers were targeted by a novel attack campaign involving the distribution of three new strains of the ShellBot DDoS bot malware, including PowerBots GohacK, LiGhT's Modded perlbot v2, and DDoS PBot v2.0, as reported by The Hacker News. These attacks were esp
Xmrig Coinminer	Unspecified	2	XMRig CoinMiner is a type of malware that has been identified as part of a wave of attacks on poorly managed Linux SSH servers. These attacks, often conducted by threat actors installing multiple malware families, have been observed to include other harmful software such as ShellBot, Tsunami, and Ch
Xmrig	Unspecified	2	XMRig is a type of malware that exploits computer systems to mine cryptocurrency. It is installed and executed by a dropper, which uses the legitimate I2P tooling application to mask its activities. The dropper first checks if the victim host has been previously infected; if not, it downloads necess

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2022-46169	Unspecified	3	CVE-2022-46169 is a critical pre-authentication command injection vulnerability discovered in the Cacti network operations framework. This flaw, which existed in all versions of Cacti up to 1.2.22, could be exploited by threat actors to deliver malware, thereby compromising the security of systems u
CVE-2021-35394	Unspecified	2	The CVE-2021-35394 vulnerability, a flaw in the software design or implementation of Realtek Jungle SDK, has seen significant exploitation by threat actors. From August to October 2022, the number of attacks attempting to exploit this remote code execution vulnerability accounted for more than 40% o

Source Document References

Information about the Shellbot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	5 months ago	Research Unearths RUBYCARP’s Multi-Miner Assault on Crypto
CERT-EU	a year ago	Malware botnets spread through Cacti, Realtek flaws
CERT-EU	6 months ago	Russia-linked APT28 compromised Ubiquiti EdgeRouters to facilitate cyber operations
Securityaffairs	7 months ago	US Gov dismantled the Moobot botnet controlled by Russia-linked APT28
CERT-EU	a year ago	Linux Servers Hacked to Launch DDoS Attacks and Mine Monero Cryptocurrency \| IT Security News
CERT-EU	a year ago	New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks
CERT-EU	a year ago	Linux SSH servers targeted by novel ShellBot malware variants
CERT-EU	a year ago	Microsoft, SeroxenRAT, Smart Links, ToddyCAT, ShellBot, More News & Aaran Leyland – SWN #333
CERT-EU	a year ago	New Diicot Threat Group Targets SSH Servers with Brute-Force Malware
CERT-EU	a year ago	Linux Servers Hacked to Launch DDoS Attacks and Mine Monero Cryptocurrency
CERT-EU	a year ago	DDoS Malware Distributed Through Compromised Linux SSH Servers
CERT-EU	a year ago	Hackers Attack Linux SSH Servers with Tsunami DDoS Malware
CERT-EU	a year ago	Links 21/03/2023: JDK 20 and GNOME 43.5
CERT-EU	a year ago	Impact of 3CX supply chain attack still examined as company admits gaps
CERT-EU	a year ago	Cacti, Realtek, and IBM Aspera Faspex Vulnerabilities Under Active Exploitation
CERT-EU	a year ago	Beware bad passwords as attackers co-opt Linux servers into cybercrime
CERT-EU	a year ago	AudienceView cyberattack impacts US, Canadian colleges, universities
CERT-EU	a year ago	S3 Ep141: What was Steve Jobs’s first job?
CERT-EU	a year ago	Ukraine targeted by novel malware attacks
Securityaffairs	8 months ago	Experts analyzed attacks against poorly managed Linux SSH servers