{"id":1876,"date":"2023-10-13T17:42:00","date_gmt":"2023-10-13T17:42:00","guid":{"rendered":"https:\/\/www.darkreading.com\/cloud\/shellbot-cracks-linux-ssh-servers-debuts-new-evasion-tactic"},"modified":"2023-10-13T17:42:00","modified_gmt":"2023-10-13T17:42:00","slug":"shellbot-cracks-linux-ssh-servers-debuts-new-evasion-tactic","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/10\/13\/shellbot-cracks-linux-ssh-servers-debuts-new-evasion-tactic\/","title":{"rendered":"ShellBot Cracks Linux SSH Servers, Debuts New Evasion Tactic"},"content":{"rendered":"

<\/p>\n

<\/div>\n
\n
\n

Cyberattackers are targeting Linux SSH servers with the ShellBot malware, and they have a new method for hiding their activity: using hexadecimal IP (Hex IP) addresses to evade behavior-based detection.<\/p>\n

According to researchers at the AhnLab Security Emergency Response Center (ASEC), the threat actors are translating the familiar “dot-decimal” command-and-control URL formation (i.e., hxxp:\/\/39.99.218[.]78,) into a Hex IP address format (such as hxxp:\/\/0x2763da4e\/), which most URL-based detection signatures won’t parse or flag.<\/p>\n

“IP addresses can be expressed in formats other than the dot-decimal notation, including decimal and hexadecimal notations, and are generally compatible with widely used Web browsers,” according to the ASEC advisory on the Hex IP attacks<\/a>. “Due to the usage of curl<\/a> for the download and its ability to support hexadecimal just like Web browsers, ShellBot can be downloaded successfully on a Linux system environment and executed through Perl.”<\/p>\n

ShellBot, aka PerlBot, is a well-known botnet<\/a> that uses dictionary attacks to compromise servers that have weak SSH credentials. From there, the server endpoint is marshalled into action to deliver distributed denial-of-service (DDoS) attacks or drop payloads like cryptominers on infected machines.<\/p>\n

“If ShellBot is installed, Linux servers can be used … for DDoS attacks against specific targets after receiving a command from the threat actor,” ASEC explained. “Moreover, the threat actor could use various other backdoor features to install additional malware<\/a> or launch different types of attacks from the compromised server.”<\/p>\n

To protect their organizations from ShellBot attacks, administrators should simply up their password hygiene game, using strong passwords and making sure to rotate their hardened credentials on a regular basis.<\/p>\n<\/div>\n<\/div>\n

\n

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.<\/p>\n

Subscribe<\/a><\/div>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Cyberattackers are targeting Linux SSH servers with the ShellBot malware,<\/p>\n","protected":false},"author":12,"featured_media":1877,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-1876","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/shellbot-cracks-linux-ssh-servers-debuts-new-evasion-tactic.jpg?fit=310%2C310&ssl=1",310,310,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/shellbot-cracks-linux-ssh-servers-debuts-new-evasion-tactic.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/shellbot-cracks-linux-ssh-servers-debuts-new-evasion-tactic.jpg?fit=300%2C300&ssl=1",300,300,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/shellbot-cracks-linux-ssh-servers-debuts-new-evasion-tactic.jpg?fit=310%2C310&ssl=1",310,310,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/shellbot-cracks-linux-ssh-servers-debuts-new-evasion-tactic.jpg?fit=310%2C310&ssl=1",310,310,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/shellbot-cracks-linux-ssh-servers-debuts-new-evasion-tactic.jpg?fit=310%2C310&ssl=1",310,310,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/shellbot-cracks-linux-ssh-servers-debuts-new-evasion-tactic.jpg?fit=310%2C310&ssl=1",310,310,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/shellbot-cracks-linux-ssh-servers-debuts-new-evasion-tactic.jpg?fit=310%2C310&ssl=1",310,310,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/shellbot-cracks-linux-ssh-servers-debuts-new-evasion-tactic.jpg?resize=310%2C310&ssl=1",310,310,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/shellbot-cracks-linux-ssh-servers-debuts-new-evasion-tactic.jpg?resize=310%2C310&ssl=1",310,310,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/shellbot-cracks-linux-ssh-servers-debuts-new-evasion-tactic.jpg?fit=310%2C310&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1876","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1876"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1876\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/1877"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1876"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1876"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1876"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}