Cyberattackers are targeting Linux SSH servers with the ShellBot malware, and they have a new method for hiding their activity: using hexadecimal IP (Hex IP) addresses to evade behavior-based detection.
According to researchers at the AhnLab Security Emergency Response Center (ASEC), the threat actors are translating the familiar “dot-decimal” command-and-control URL formation (i.e., hxxp://39.99.218[.]78,) into a Hex IP address format (such as hxxp://0x2763da4e/), which most URL-based detection signatures won’t parse or flag.
“IP addresses can be expressed in formats other than the dot-decimal notation, including decimal and hexadecimal notations, and are generally compatible with widely used Web browsers,” according to the ASEC advisory on the Hex IP attacks. “Due to the usage of curl for the download and its ability to support hexadecimal just like Web browsers, ShellBot can be downloaded successfully on a Linux system environment and executed through Perl.”
ShellBot, aka PerlBot, is a well-known botnet that uses dictionary attacks to compromise servers that have weak SSH credentials. From there, the server endpoint is marshalled into action to deliver distributed denial-of-service (DDoS) attacks or drop payloads like cryptominers on infected machines.
“If ShellBot is installed, Linux servers can be used … for DDoS attacks against specific targets after receiving a command from the threat actor,” ASEC explained. “Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server.”
To protect their organizations from ShellBot attacks, administrators should simply up their password hygiene game, using strong passwords and making sure to rotate their hardened credentials on a regular basis.