New BlueShell Malware Attacks Windows, Linux, and Mac

A background on BlueShell

• BlueShell employs TLS encryption to evade network detection when communicating with its C2 server. 
• It relies on three configuration parameters: the C2 server's IP address, port number, and a specified waiting time.
• Research findings have uncovered the use of BlueShell malware by the Dalbit Group in attacks targeting Windows systems. 
• The Dalbit Group, a threat actor based in China, primarily focuses on vulnerable servers to pilfer critical data, which it then uses to demand ransom. 
• Additionally, there have been documented instances of attacks against mail servers and MS-SQL database servers.

The new variant

• While analyzing BlueShell's activities in the Linux environment, the researchers identified a customized variant of the malware on VirusTotal. 
• Notably, this malware sample was uploaded to VirusTotal from locations in Korea and Thailand, suggesting that these two regions may have been the intended targets of the attack.

Some latest attacks on operating systems

• A threat actor is exploiting vulnerabilities in the MinIO Object Storage system to remotely execute arbitrary code on vulnerable servers. The exploits can effectively be used against Linux and Windows environments using specific Downloader Scripts.
• Early August, researchers spotted an evolved SkidMap malware variant targeting a wide range of Linux distributions, including Alibaba, Anolis, and RedHat.
• The same month witnessed a new hVNC tool for hacking Mac systems, allowing attackers to gain stealthy remote control and steal sensitive information.

The bottom line