​Shellbot botnet found targeting IoT devices and Linux servers

Security researchers from Trend Micro have discovered an IRC bot dubbed as Shellbot that is targeting Internet of Thing (IoT) devices and Linux servers. The botnet is also capable of affecting Windows systems and Android devices.

Modus operandi

The IRC bot is built with the help of a Shellbot variant that is written in Perl and is distributed by a threat actor group called Outlaw.

“We uncovered an operation of a hacking group, which we’re naming “Outlaw” (translation derived from the Romanian word haiduc, the hacking tool the group primarily uses), involving the use of an IRC bot built with the help of Perl Shellbot, reads the analysis published by Trend Micro.

Shellbot is typically installed on a victim’s computer via the Shellshock Unix Bash shell vulnerability that was discovered back in 2014. However, this time the group is found to exploit a common command injection vulnerability on IoT devices and Linux servers in order to spread the bot.

“The group distributes the bot by exploiting a common command injection vulnerability on the internet of things (IoT) devices and Linux servers. Further research indicates that the threat can also affect Windows-based environments and even Android devices.”

Once executed, the Shellbot botnet allows the attackers to send commands to the infected machines via the Internet Relay Chat (IRC) channel. These commands include commands to conduct a port scan, launch a distributed denial of service attack and more.

“Once the Shellbot is running on a target system, the administrator of the IRC channel can send various commands to the host. The list includes commands to perform a port scan, perform various forms of distributed denial of service (DDoS), download a file, get information about other machines, or just send the operating system (OS) information and list of certain running processes on the C&C server,” said the Trend Micro’s researchers in the blog post.

Researchers highlight that the code used in these attacks is available online, which makes it very easy for hackers to build such bots and use it against big companies.

“The Outlaw group here used an IRC bot, which isn’t a novel threat. The code used is available online, making it possible to build such a bot (with a fully undetectable toolset) and operate it under the radar of common network security solutions,” reads the blog post report.