Monday, May 12, 2025
HomeCyber AttackShell DDoS Malware Attacks Poorly Managed Linux SSH Servers

Shell DDoS Malware Attacks Poorly Managed Linux SSH Servers

Published on

SIEM as a Service

Follow Us on Google News

The ShellBot threat has turned out to be a new type of malware designed to target Linux SSH servers poorly managed as part of a new campaign.

As stated in a report published by AhnLab Security Emergency Response Center (ASEC), ShellBot, also called PerlBot, is a DDoS Bot malware developed using the Perl programming language, which normally communicates with the C&C server using the IRC protocol.

Despite being an old malware, ShellBot has been used steadily over the last few years and is still used today to attack Linux systems.

- Advertisement - Google News

Attack Campaigns

A malware attack typically occurs through a web browser or email attachment in a desktop environment. It is also a common practice for threat actors to distribute malware disguised as legitimate software to convince users to install it on their devices.

In order to attack server environments, threat actors have also used different methods.

The prime targets of these attacks are those services that are poorly managed or are weak to exploit vulnerabilities because they are not patched to the latest version of their software.

There are several ways in which Windows operating systems can be targeted using the remote desktop protocol (RDP) and Microsoft SQL Server service as examples of attack vectors.

Credentials Used

Regarding attacks on Linux servers, Secure Shell (SSH) is one of the most commonly targeted services. When an old Linux server or embedded Linux OS is present in IoT environments, the Telnet service has been the target of dictionary attacks.

IRC protocol & ShellBot Analysis

The Internet Relay Chat (IRC) is a real-time Internet chat protocol that allows users to log on to certain channels and join in real-time discussions with other users who have logged on to the same channel.

An IRC bot can be defined as a piece of bot malware that uses the IRC protocol to communicate with a C&C server via the internet rather than via a regular serial port. 

Commands Used

Infected systems are infected with IRC bots that access an IRC server’s channel designated by threat actors, transmit stolen data, or receive a specific string from the attacker as a command, executing the malicious behavior associated with that string.

There has been a considerable amount of use of ShellBot by a number of threat actors in the past. Researchers have classified ShellBot into three types based on the commands, characteristics, and DDoS attacks used by the malware during installation.

The attack uses a list of known SSH credentials to initiate a dictionary attack, which compromises the server and deploys the payload, after which a remote server is contacted via Internet Relay Chat (IRC) protocol to communicate with the attacker.

On the other hand, PowerBots has a more backdoor-like capability since it can grant reverse shell access to compromised hosts and upload arbitrary files from them.

Nearly three months have passed since ShellBot was employed in attacks that aimed to infect Linux servers with cryptocurrency miners and distribute those miners using shell script compilers.

Building Your Malware Defense Strategy – Download Free E-Book

Related Read:

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...