Application security, Application security, Threat Management, Malware

‘Outlaw’ threat actor uses Shellbot variant to form new botnet

An unknown threat actor has been targeting organizations with botnet malware that communicates with its command-and-control server via the Internet Relay Chat application layer protocol.

Nicknamed Outlaw, the hacking group developed the botnet as a Perl language-based variant of Shellbot, according to a Nov. 1 blog post from Trend Micro, whose researchers uncovered the threat. Shellbot is a trojan horse malware that's typically installed on computers via the Shellshock Unix Bash shell vulnerability that was found back in 2014.

In this case, however, the Perl Shellbot attackers are instead infecting victims via a command injection vulnerability that's commonly found on IoT devices and Linux servers, but can also affect Windows environments and Android devices. They are also distributing the malware through previously brute-forced or compromised hosts, Trend Micro notes.

Trend Micro theorizes that the botnet has been built with "cybercriminal purposes" in mind, adding that Outlaw has "looked into targeting big companies," even though its attacks have not been widespread.

As part of this operation, the threat actors have already compromised an unspecified Japanese art institution's FTP server, as well as a Bangladeshi government website via a Dovecot mail server vulnerability. "They then used two compromised servers and linked them to a high availability cluster to host an IRC bouncer, which was used to command and control the emerging botnet," the Trend Micro blog post explains.

Upon infection, the Perl Shellbot allows the attackers to send commands to the victimized machine via the IRC channel, including commands to conduct a port scan, execute a distributed denial of service attack, download a file, and more.

"The Outlaw group here used an IRC bot, which isn’t a novel threat," the blog post reports. "The code used is available online, making it possible to build such a bot (with a fully undetectable toolset) and operate it under the radar of common network security solutions." 

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.