2024-09-12 SUPERSHELL + 2023-03-13 SHELLBOT Targeting Linux SSH servers Samples

 

2024-09-12 Ahnlab: SuperShell malware targeting Linux SSH servers

• SuperShell is a sophisticated backdoor malware targeting Linux SSH servers, written in the Go language, which allows cross-platform functionality on Linux, Windows, and Android. Created by a Chinese-speaking developer, it operates as a reverse shell, enabling attackers to execute commands remotely on the compromised systems. The attack begins with brute force and dictionary attacks against SSH servers, using weak credentials like "root/password" and "root/123456qwerty." Once access is gained, attackers execute a series of commands to download and install SuperShell, leveraging tools like wget, curl, tftp, and FTP, with download sources often hosted on compromised servers.
• 
  
• SuperShell's obfuscation adds complexity, but it can still be identified through specific internal strings and its runtime behavior. The malware's installation process is versatile, targeting directories like /tmp, /var/run, /mnt, and /root, with commands often including clean-up actions to remove traces post-installation (rm -r *). Typically, the payload involves downloading a script or binary, which is then executed with elevated permissions using chmod +x followed by execution (./ssh1). This pattern is consistently observed across multiple commands, highlighting the malware's redundancy and persistence in ensuring successful deployment.
• Additionally, the attackers often deploy XMRig, a Monero cryptocurrency miner, alongside SuperShell, hinting at a dual-purpose attack: maintaining persistent control over the system while generating illicit cryptocurrency. 

 2023-03-13 Ahnlab: ShellBot Malware Being Distributed to Linux SSH Servers

• On March 13, 2023, ASEC reported that ShellBot, a Perl-based DDoS bot, is actively targeting Linux SSH servers. The malware exploits weak SSH credentials through brute-force attacks, gaining access to deploy its payload. Once installed, ShellBot connects to a Command and Control (C&C) server via the IRC protocol, enabling attackers to issue commands, steal data, and launch DDoS attacks.
• Initial Access: Attackers scan for servers with open SSH ports (port 22) and use brute-force tools to guess weak or default credentials.
• Installation: After gaining access, ShellBot is deployed, often achieving persistence by modifying startup scripts or cron jobs.
• IRC Protocol: ShellBot uses the IRC protocol for C&C communication, allowing it to receive commands like executing remote tasks or launching DDoS attacks without needing a custom C&C infrastructure.
• Customization: ShellBot is highly customizable, with variants like "LiGhT’s Modded perlbot v2" offering different capabilities and attack methods tailored by various threat actors.

Download

 
Download. Email me if you need the password scheme.

File Information

• ├── SHELLBOT
• │   ├── 2220783661db230d0808a5750060950688e2618d462ccbe07f54408154c227c1 .pl 
• │   ├── b7d62d1a145ddda241e624ef94ab31fcca1a13f79e130d0a704586e35745282a .pl 
• │   ├── e476b9c07fcd80824d4eafce0e826ae1c12706ca6215eb6e3995468374bb8a76 .pl
• │   └── f5a26a68344c1ffd136ba73dec9d08f61212872cdba33bd4d7d32733a72e4ed5 .pl 
• │   ├── Other Shellbot samples
• │   │   ├── 0857f90be97326ff45f17ec3f6ce60d9a0f6d8faed34e48527fde5ec30bd5a0d
• │   │   ├── 0c1673e442b945a0aecf60d3970e924b16bd72d46e257bd72927821e4ebbc9ca
• │   │   ├── 1f3c279ea684d5cbdc7004819bf15a160f70b2c79c4affd309f9ab3ad957045b
• │   │   ├── 5ba1d0efb313ccc20e3d5f2476a3db811e15c80c3f1ac73b7a02d80c5c49c728
• │   │   ├── a26de5b607e3a66af8b7db2c13bcd1c658817649c699f8731db6f237c3c5b1ce
• │   │   └── cb80570332e3e32037f426e835d05bdcd276e9e5acfd439027d788dd64dcb47d
• └── SUPERSHELL
•     ├── 157bea84012ca8b8dc6c0eabf80db1f0256eafccf4047d3e4e90c50ed42e69ff ssh1.sh 
•     ├── 23dbfb99fc6c4fcfc279100c4b6481a7fd3f0b061b8d915604efa2ba37c8ddfa setup c3pool miner.sh 
•     └── cf5a7b7c71564a5eef77cc5297b9ffd6cd021eb44c0901ea3957cb2397b43e15 ssh1 

Malware Repo Links

Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.