ShellBot LinuxSSH

ShellBot’s Evasion Strategy: Employing Hexadecimal IPs for Linux SSH Server Attacks

2 Mins Read

PureVPNNewsShellBot’s Evasion Strategy: Employing Hexadecimal IPs for Linux SSH Server Attacks

The threat actors associated with ShellBot exploit a novel technique wherein they convert IP addresses into hexadecimal notation, enabling them to infiltrate poorly managed Linux SSH servers and deploy the DDoS malware. 

This observation, outlined in a recent report by the AhnLab Security Emergency Response Center (ASEC), reveals a significant alteration in the tactics employed by ShellBot’s operators.

What is a ShellBot?

ShellBot, called PerlBot, is notorious for compromising servers with weak SSH credentials through dictionary attacks. 

The malware is a conduit for executing DDoS attacks and deploying cryptocurrency miners. The malware employs the IRC protocol to communicate with a command-and-control (C2) server.

Details About the Attack

The latest wave of attacks involving ShellBot showcases a notable shift, as the malware now employs hexadecimal IP addresses, for instance, hxxp://0x2763da4e/, corresponding to 39.99.218[.]78. 

Malicious URL contained in the phishing PDF malware

This change is a deliberate strategy to evade URL-based detection mechanisms. Utilizing the ‘curl’ utility for downloading and its capacity to process hexadecimal, akin to web browsers, enables ShellBot to be successfully downloaded on a Linux environment and subsequently executed through Perl.

Is ShellBot really dangerous?

ShellBot maintains a consistent presence and continues to be used for launching attacks against Linux systems. 

Given ShellBot’s capability to facilitate the installation of additional malware or execute various attacks from the compromised server, you are strongly advised to adopt robust passwords and routinely change them to fortify your defenses against brute-force and dictionary attacks.

What Do You Do To Stay Secure?

ShellBot underscores the malware’s adaptive nature, making it a persistent threat to Linux SSH servers. 

It attempts to outwit detection mechanisms by using hexadecimal IP addresses, highlighting the importance of continually enhancing our cybersecurity defenses. 

As we’ve seen, robust password practices remain a vital defense strategy, while security experts must stay vigilant in the face of evolving attack techniques. 

The revelation about abnormal certificates being weaponized for information-stealing malware emphasizes the need for comprehensive web security measures. 

With these insights, it’s clear that cybersecurity remains an evolving platform where staying ahead is essential.

author

PureVPN

date

October 13, 2023

time

1 year ago

PureVPN is a leading VPN service provider that excels in providing easy solutions for online privacy and security. With 6000+ servers in 65+ countries, It helps consumers and businesses in keeping their online identity secured.

Have Your Say!!

Join 3 million+ users to embrace internet freedom

Signup for PureVPN to get complete online security and privacy with a hidden IP address and encrypted internet traffic.