New attack uses a repurposed version of the Trojan that spreads using Internet Relay Chat.

Shellbot crimeware has been spotted in the wild as part of a growing campaign that appears to target infrastructure resources for cryptomining.
Tactics, techniques, and procedures observed in this campaign are similar to TTPs seen previousl with the Outlaw Group, a hacking organization whose operations were previously uncovered by Trend Micro. In Nov. 2018, researchers discussed a host portion of the botnet run by Outlaw, which they found using a tool called “haiduc” and a miner to obtain Monero cryptocurrency.
This latest campaign, detected by JASK Special Ops team (SpecOps) in late Nov. 2018, has these same qualities and was likely the same group. Analysts identified an SSH brute force campaign against Internet-facing Linux devices within the DMZ infrastructure of an education organization.
In the last weeks of November, firewall alerts notified the victim organization of SSH user authentication brute-force attempts, a sign of increased scanning against the target environment. After its machines were breached, network traffic showed payloads being installed and operated from infected devices, researchers explain in a report on the findings.
Payloads delivered to the target organization included Internet Relay Chat (IRC) C2 botware, cryptomining malware, and an SSH scan, brute force, and network propagation toolkit. SpecOps says host machines were hit with an opportunistic attack, likely sponsored by Outlaw, which has been responsible for Shellbot, cryptomining, and SSH brute-force campaigns.
Shellbot is a Trojan that creates a pathway between the attacker’s command-and-control infrastructure and a victim’s device.
The toolkit observed in use in this latest attack contains three primary components: the IRC botware for command-and-control, a revenue stream via Monero mining, and haiduc, the popular scan and brute force tool that helped researchers link this activity to Outlaw, says Rod Soto, JASK director …

Go to Source

Author: Kelly Sheridan Staff Editor, Dark Reading

Comments are closed.