'Outlaw' threat actor uses Shellbot variant to form new botnet

News by Bradley Barth

An unknown threat actor has been targeting organisations with botnet malware that communicates with its command-and-control server via the Internet Relay Chat application layer protocol.

An unknown threat actor has been targeting organisations with botnet malware that communicates with its command-and-control server via the Internet Relay Chat application layer protocol.

Nicknamed Outlaw, the hacking group developed the botnet as a Perl language-based variant of Shellbot, according to a 1 November blog post from Trend Micro, whose researchers uncovered the threat. Shellbot is a trojan horse malware that’s typically installed on computers via the Shellshock Unix Bash shell vulnerability that was found back in 2014.

In this case, however, the Perl Shellbot attackers are instead infecting victims via a command injection vulnerability that’s commonly found on IoT devices and Linux servers, but can also affect Windows environments and Android devices. They are also distributing the malware through previously brute-forced or compromised hosts, Trend Micro notes.

Trend Micro theorizes that the botnet has been built with "cyber-criminal purposes" in mind, adding that Outlaw has "looked into targeting big companies," even though its attacks have not been widespread.

As part of this operation, the threat actors have already compromised an unspecified Japanese art institution’s FTP server, as well as a Bangladeshi government website via a Dovecot mail server vulnerability. "They then used two compromised servers and linked them to a high availability cluster to host an IRC bouncer, which was used to command and control the emerging botnet," the Trend Micro blog post explains.

Upon infection, the Perl Shellbot allows the attackers to send commands to the victimised machine via the IRC channel, including commands to conduct a port scan, execute a distributed denial of service attack, download a file, and more.

"The Outlaw group here used an IRC bot, which isn’t a novel threat," the blog post reports. "The code used is available online, making it possible to build such a bot (with a fully undetectable toolset) and operate it under the radar of common network security solutions." 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events