The threat actors behind ShellBot are leveraging IP addresses transformed into hexadecimal notation to infiltrate Linux SSH servers and deploy distributed denial-of-service (DDoS) malware.
ShellBot (aka PerlBot) is known to breach servers that have weak SSH credentials by means of a dictionary attack. The malware is used to conduct DDoS attacks and deliver cryptocurrency miners.
The malware, developed in Perl, uses the IRC protocol to communicate with a command-and-control (C2) server.
The most recent attacks install the malware using hexadecimal IP addresses. The hex IP is used to evade URL-based detection signatures.
Impact
This threat is of medium severity. The initial vector is via credential theft or dictionary attacks.
ShellBot supports hexadecimal addresses just like a web browser. This means it can be downloaded successfully on a Linux system environment and executed through Perl.
DXC perspective
Mitigation tactics should include securing external-facing servers; implementing Privileged Access Management tooling to secure credentials; monitoring for abnormal user behavior; installing and regularly updating antivirus software on all hosts; and enabling real-time detection.
