Cyberattackers are focusing on Linux SSH servers with the ShellBot malware, they usually have a brand new methodology for hiding their exercise: utilizing hexadecimal IP (Hex IP) addresses to evade behavior-based detection.
Based on researchers on the AhnLab Safety Emergency Response Middle (ASEC), the risk actors are translating the acquainted “dot-decimal” command-and-control URL formation (i.e., hxxp://39.99.218[.]78,) right into a Hex IP deal with format (reminiscent of hxxp://0x2763da4e/), which most URL-based detection signatures will not parse or flag.
“IP addresses could be expressed in codecs aside from the dot-decimal notation, together with decimal and hexadecimal notations, and are usually appropriate with broadly used Net browsers,” in accordance with the ASEC advisory on the Hex IP assaults. “Because of the utilization of curl for the obtain and its means to help hexadecimal identical to Net browsers, ShellBot could be downloaded efficiently on a Linux system setting and executed by Perl.”
ShellBot, aka PerlBot, is a widely known botnet that makes use of dictionary assaults to compromise servers which have weak SSH credentials. From there, the server endpoint is marshalled into motion to ship distributed denial-of-service (DDoS) assaults or drop payloads like cryptominers on contaminated machines.
“If ShellBot is put in, Linux servers can be utilized … for DDoS assaults towards particular targets after receiving a command from the risk actor,” ASEC defined. “Furthermore, the risk actor may use numerous different backdoor options to put in further malware or launch several types of assaults from the compromised server.”
To guard their organizations from ShellBot assaults, directors ought to merely up their password hygiene sport, utilizing robust passwords and ensuring to rotate their hardened credentials frequently.