October 12, 2023 at 09:57AM
The ShellBot threat actors are using hexadecimal IP addresses to attack Linux SSH servers and deploy DDoS malware. The malware, also known as PerlBot, breaches servers with weak SSH credentials and then stages DDoS attacks and delivers cryptocurrency miners. The use of hexadecimal IP addresses is an attempt to avoid detection. Users are advised to use strong passwords and regularly change them to protect against attacks. Additionally, ASEC has revealed that attackers are using abnormal certificates to distribute information stealer malware.
Key Takeaways from the Meeting Notes:
1. The threat actors behind ShellBot are using IP addresses transformed into hexadecimal notation to attack poorly managed Linux SSH servers and deploy DDoS malware.
2. ShellBot, also known as PerlBot, breaches servers with weak SSH credentials through a dictionary attack and is used to carry out DDoS attacks and deliver cryptocurrency miners.
3. The latest observed attacks involve ShellBot using hexadecimal IP addresses to evade detection signatures.
4. ShellBot uses the IRC protocol to communicate with a command-and-control server.
5. Users are recommended to use strong passwords and change them periodically to resist brute-force and dictionary attacks.
6. Attackers are weaponizing abnormal certificates with long strings for Subject Name and Issuer Name fields to distribute information stealer malware such as Lumma Stealer and RecordBreaker.
7. Malicious pages that distribute these malware variants are accessible through search engines, posing a threat to a wide range of users.