2024-09-12 Symantec: Linux SSH servers targeted by new SuperShell malware variant

A recent campaign has targeted vulnerable or misconfigured Linux SSH servers using a Go-based malware variant known as SuperShell. This malware functions as a reverse shell, enabling attackers to gain remote control and execute arbitrary code on compromised machines. These servers are then likely to be repurposed for malicious activities such as cryptomining or Distributed Denial-of-Service (DDoS) attacks.The malware gathers detailed system information and checks CPU data to identify virtual environments, It scans user directories and downloads additional malicious files. After downloading, it grants execute permissions to the downloaded files and attempts to run them.

 2023-03-13 Ahnlab: ShellBot Malware Being Distributed to Linux SSH Servers

On March 13, 2023, ASEC reported that ShellBot, a Perl-based DDoS bot, is actively targeting Linux SSH servers. The malware exploits weak SSH credentials through brute-force attacks, gaining access to deploy its payload. Once installed, ShellBot connects to a Command and Control (C&C) server via the IRC protocol, enabling attackers to issue commands, steal data, and launch DDoS attacks.Initial Access: Attackers scan for servers with open SSH ports (port 22) and use brute-force tools to guess weak or default credentials.Installation: After gaining access, ShellBot is deployed, often achieving persistence by modifying startup scripts or cron jobs.IRC Protocol: ShellBot uses the IRC protocol for C&C communication, allowing it to receive commands like executing remote tasks or launching DDoS attacks without needing a custom C&C infrastructure.Customization: ShellBot is highly customizable, with variants like “LiGhT’s Modded perlbot v2” offering different capabilities and attack methods tailored by various threat actors.

Download
File Information
├── SHELLBOT│   ├── 2220783661db230d0808a5750060950688e2618d462ccbe07f54408154c227c1 .pl │   ├── b7d62d1a145ddda241e624ef94ab31fcca1a13f79e130d0a704586e35745282a .pl │   ├── e476b9c07fcd80824d4eafce0e826ae1c12706ca6215eb6e3995468374bb8a76 .pl│   └── f5a26a68344c1ffd136ba73dec9d08f61212872cdba33bd4d7d32733a72e4ed5 .pl │   ├── Other Shellbot samples│   │   ├── 0857f90be97326ff45f17ec3f6ce60d9a0f6d8faed34e48527fde5ec30bd5a0d│   │   ├── 0c1673e442b945a0aecf60d3970e924b16bd72d46e257bd72927821e4ebbc9ca│   │   ├── 1f3c279ea684d5cbdc7004819bf15a160f70b2c79c4affd309f9ab3ad957045b│   │   ├── 5ba1d0efb313ccc20e3d5f2476a3db811e15c80c3f1ac73b7a02d80c5c49c728│   │   ├── a26de5b607e3a66af8b7db2c13bcd1c658817649c699f8731db6f237c3c5b1ce│   │   └── cb80570332e3e32037f426e835d05bdcd276e9e5acfd439027d788dd64dcb47d└── SUPERSHELL    ├── 157bea84012ca8b8dc6c0eabf80db1f0256eafccf4047d3e4e90c50ed42e69ff ssh1.sh     ├── 23dbfb99fc6c4fcfc279100c4b6481a7fd3f0b061b8d915604efa2ba37c8ddfa setup c3pool miner.sh     └── cf5a7b7c71564a5eef77cc5297b9ffd6cd021eb44c0901ea3957cb2397b43e15 ssh1 
Malware Repo Links
Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.

Article Link: https://contagiodump.blogspot.com/2024/09/2024-09-12-supershell-2023-03-13.html

1 post – 1 participant

Read full topic

​ 2024-09-12 Symantec: Linux SSH servers targeted by new SuperShell malware variantA recent campaign has targeted vulnerable or misconfigured Linux SSH servers using a Go-based malware variant known as SuperShell. This malware functions as a reverse shell, enabling attackers to gain remote control and execute arbitrary code on compromised machines. These servers are then likely to be repurposed for malicious activities such as cryptomining or Distributed Denial-of-Service (DDoS) attacks.The malware gathers detailed system information and checks CPU data to identify virtual environments, It scans user directories and downloads additional malicious files. After downloading, it grants execute permissions to the downloaded files and attempts to run them. 2023-03-13 Ahnlab: ShellBot Malware Being Distributed to Linux SSH ServersOn March 13, 2023, ASEC reported that ShellBot, a Perl-based DDoS bot, is actively targeting Linux SSH servers. The malware exploits weak SSH credentials through brute-force attacks, gaining access to deploy its payload. Once installed, ShellBot connects to a Command and Control (C&C) server via the IRC protocol, enabling attackers to issue commands, steal data, and launch DDoS attacks.Initial Access: Attackers scan for servers with open SSH ports (port 22) and use brute-force tools to guess weak or default credentials.Installation: After gaining access, ShellBot is deployed, often achieving persistence by modifying startup scripts or cron jobs.IRC Protocol: ShellBot uses the IRC protocol for C&C communication, allowing it to receive commands like executing remote tasks or launching DDoS attacks without needing a custom C&C infrastructure.Customization: ShellBot is highly customizable, with variants like “LiGhT’s Modded perlbot v2” offering different capabilities and attack methods tailored by various threat actors.Download Download. Email me if you need the password scheme.File Information├── SHELLBOT│   ├── 2220783661db230d0808a5750060950688e2618d462ccbe07f54408154c227c1 .pl │   ├── b7d62d1a145ddda241e624ef94ab31fcca1a13f79e130d0a704586e35745282a .pl │   ├── e476b9c07fcd80824d4eafce0e826ae1c12706ca6215eb6e3995468374bb8a76 .pl│   └── f5a26a68344c1ffd136ba73dec9d08f61212872cdba33bd4d7d32733a72e4ed5 .pl │   ├── Other Shellbot samples│   │   ├── 0857f90be97326ff45f17ec3f6ce60d9a0f6d8faed34e48527fde5ec30bd5a0d│   │   ├── 0c1673e442b945a0aecf60d3970e924b16bd72d46e257bd72927821e4ebbc9ca│   │   ├── 1f3c279ea684d5cbdc7004819bf15a160f70b2c79c4affd309f9ab3ad957045b│   │   ├── 5ba1d0efb313ccc20e3d5f2476a3db811e15c80c3f1ac73b7a02d80c5c49c728│   │   ├── a26de5b607e3a66af8b7db2c13bcd1c658817649c699f8731db6f237c3c5b1ce│   │   └── cb80570332e3e32037f426e835d05bdcd276e9e5acfd439027d788dd64dcb47d└── SUPERSHELL    ├── 157bea84012ca8b8dc6c0eabf80db1f0256eafccf4047d3e4e90c50ed42e69ff ssh1.sh     ├── 23dbfb99fc6c4fcfc279100c4b6481a7fd3f0b061b8d915604efa2ba37c8ddfa setup c3pool miner.sh     └── cf5a7b7c71564a5eef77cc5297b9ffd6cd021eb44c0901ea3957cb2397b43e15 ssh1 Malware Repo LinksOver the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
Article Link: https://contagiodump.blogspot.com/2024/09/2024-09-12-supershell-2023-03-13.html
1 post – 1 participant
Read full topic