Perl-Based Shellbot Looks to Target Organizations via C&C


Perl-Based Shellbot Looks to Target Organizations via C&C (Nov 1, 2018)

Trend Micro researchers have discovered a new campaign targeting various organisations through a command injection vulnerability in Internet-of-Things (IoT) devices and Linux servers. The threat group behind the attacks have been dubbed "Outlaw" and utilises a variant of "Perl Shellbot" for various malicious purposes. The threat group has been observed targeting organisations in Japan and Bangladesh, thus far, through compromised File Transfer Protocol (FTP) servers. The botnet first runs a command on a target IoT device to verify that the host accepts commands from the command-line interface (CLI) and then, if the command runs successfully, a payload (n3 file) will download onto the machine that runs with a Perl interpreter. Interestingly, this n3 file is removed at the final stages of the attack so there is no traceable activity left on the infected system. Once this botnet is installed onto the machine, it connects to the threat actor's Command and Control (C2) server. Following the initial infection, the bot modifies the Domain Name System (DNS) settings to confirm that the target is not a honeypot and has connectivity to the internet. The network communication appears to send out an "XMR rig" Monero mining monitoring tool output.

Recommendation: It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. In addition, policies should be in place in regards to bring-your-device to consider every IoT device as a potential security liability. Furthermore, always practice Defence-in-Depth (do not rely on single-security mechanisms; security measures should be layered, redundant, and fail-safe).

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.