ShellBot Botnet’s New Hexadecimal Trick Targets Linux Servers

ShellBot Botnet
Thread IOC page of AhnLab TIP

Malicious actors behind the ShellBot botnet are employing hexadecimal-converted IP addresses to infiltrate vulnerable SSH Linux servers and deploy malware for conducting DDoS attacks.

In a recent report published by AhnLab Security (ASEC) experts, it’s revealed, “The overall flow remains the same, but the download URL used by the threat actor to install ShellBot has changed from a regular IP address to a hexadecimal value.

ShellBot, also recognized as PerlBot, exploits servers with weak SSH credentials through dictionary attacks. This malicious software orchestrates DDoS assaults and delivers cryptocurrency miners. Crafted in Perl, this botnet malware employs the IRC protocol to communicate with its C2 management server.

Thread IOC page of AhnLab TIP

Recently observed attacks using ShellBot deploy malware using hexadecimal IP addresses. For instance, a communication channel is established for the IP address “hxxp://0x2763da4e/”, corresponding to the address “hxxp://39.99.218.78”.

This connection method proves effective and eludes detection, leading to the inference that hackers intentionally adopted this tactic to circumvent URL-based detection.

ASEC highlights, “Due to the usage of curl for the download and its ability to support hexadecimal just like web browsers, ShellBot can be downloaded successfully on a Linux system environment and executed through Perl.

This malware’s evolution signifies that ShellBot remains actively utilized for cyber-attacks on Linux systems. Given that ShellBot can deploy additional malware or launch diverse attack types from compromised servers, it’s recommended to utilize robust passwords and periodically change them.

Earlier, ASEC specialists exposed a malicious operation employing unconventional certificates with unusually lengthy strings for the “Subject Name” and “Publisher Name” fields to disseminate malware intended for data theft – namely, Lumma Stealer and RecordBreaker.

Returning to ShellBot, the scrutinized campaign serves as a reminder that standard detection mechanisms can be effortlessly bypassed using malevolent ruses, like substituting classic IP addresses with hexadecimal values.

All this accentuates the imperative of continuous evolution in the cybersecurity sector, heightened attention to detail, and readiness to adapt to an ever-evolving threat landscape.