BPDoxS

BPDoxS

Share

29/03/2023

Poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of a malware called ShellBot.

ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server.

ShellBot is installed on servers that have weak credentials, but only after threat actors make use of scanner malware to identify systems that have SSH port 22 open.

A list of known SSH credentials is used to initiate a dictionary attack to breach the server and deploy the payload, after which it uses the Internet Relay Chat (IRC) protocol to communicate with a remote server.

This encompasses the ability to receive commands that allows ShellBot to carry out DDoS attacks and exfiltrate harvested information.

ASEC said it identified three different ShellBot versions – LiGhT's Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK – the first two of which offer a variety of DDoS attack commands using HTTP, TCP, and UDP protocols.

PowerBots, on the other hand, comes with more backdoor-like capabilities to grant reverse shell access and upload arbitrary files from the compromised host.

"If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor," ASEC said. "Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server."

The development also comes as Microsoft revealed a gradual increase in the number of DDoS attacks targeting healthcare organizations hosted in Azure, surging from 10-20 attacks in November 2022 to 40-60 attacks daily in February 2023.

Photos from BPDoxS's post 29/03/2023

An Android voice phishing (aka vishing) malware campaign known as FakeCalls has reared its head once again to target South Korean users under the guise of over 20 popular financial apps.

FakeCalls malware possesses the functionality of a Swiss army knife, able not only to conduct its primary aim but also to extract private data from the victim's device.

In the observed attacks, users who install the rogue banking app are enticed into calling the financial institution by offering a fake low-interest loan.

The ultimate goal of the campaign to get the victim's credit card information, which the threat actors claim is required to qualify for the non-existent loan.

The malicious app also requests for intrusive permissions so as to harvest sensitive data, including live audio and video streams, from the compromised device, which are then exfiltrated to a remote server.

The latest FakeCalls samples further implement various techniques to stay under the radar. One of the methods involves adding a large number of files inside nested directories to the APK's asset folder, causing the length of the file name and path to breach the 300-character limit.

While the attack exclusively focuses on South Korea, the cybersecurity company has warned that the same tactics can be repurposed to target other regions across the world.

The findings also come as Cyble shed light on two Android banking trojans dubbed Nexus and GoatRAT that can harvest valuable data and carry out financial fraud.

Nexus, a rebranded version of SOVA, also incorporates a ransomware module that encrypts the stored files and can abuse Android's accessibility services to extract seed phrases from cryptocurrency wallets.

Spain, Saudi Arabia, Australia, Turkey, China, Switzerland, Japan, Colombia, Italy, and India lead the list of top countries infected by mobile financial threats.

Want your business to be the top-listed Computer & Electronics Service in Patiala?
Click here to claim your Sponsored Listing.

Telephone

Address


Patiala
147001