A new wave of DDoS attacks has been detected targeting poorly managed Linux SSH servers. The attackers are deploying a variant of the ShellBot malware to aid their assault. According to reports, the threat actors scan for SSH port 22 vulnerabilities before installing ShellBot on servers with weak credentials. They then use a list of known SSH credentials to breach the servers and deploy the payload. The malware uses IRC protocol to communicate with a remote server that prompts it to carry out DDoS attacks and extract information.
AhnLab Security Emergency Response Center (ASEC) has identified three different ShellBot variants, including LiGhT’s Modded Perlbot v2, DDoS PBot v2.0, and PowerBots (C) Gohack. The first two variants offer multiple DDoS attack commands using HTTP, TCP, and UDP protocols. Meanwhile, PowerBots can grant reverse shell access and upload arbitrary files from a compromised host.
According to ASEC, if ShellBot is installed on a Linux server, it can be used as a DDoS bot for attacks against specific targets after receiving a command from the threat actor. Furthermore, the attacker could use various backdoor features to install additional malware or launch different attacks from the compromised server.
This campaign has prompted Microsoft to reveal increased attacks aimed at healthcare organizations hosted in Azure since November 2022. While the situation is concerning, efforts are underway to provide extra security to contain the current campaign and prevent future occurrences.
