ShellBot威胁：十六进制IP地址的新用途

The threat actors behind ShellBot are leveraging IP addresses transformed into its hexadecimal notation to infiltrate poorly managed Linux SSH servers and deploy the DDoS malware.

ShellBot背后的威胁行为者正在利用转化为其十六进制表示法的IP地址来渗透管理不善的Linux SSH服务器，并部署DDoS恶意软件。

"The overall flow remains the same, but the download URL used by the threat actor to install ShellBot has changed from a regular IP address to a hexadecimal value," the AhnLab Security Emergency response Center (ASEC) said in a new report published today.

AhnLab安全应急响应中心（ASEC）今天发布的新报告中表示，“总体流程仍然保持不变，但威胁行为者用于安装ShellBot的下载URL已从常规IP地址更改为十六进制值。”

ShellBot, also known by the name PerlBot, is known to breach servers that have weak SSH credentials by means of a dictionary attack, with the malware used as a conduit to stage DDoS attacks and deliver cryptocurrency miners.

ShellBot，又名PerlBot，以字典攻击的方式知名于入侵具有弱SSH凭证的服务器，利用该恶意软件作为DDoS攻击的媒介以及交付加密货币挖矿器。

Developed in Perl, the malware uses the IRC protocol to communicate with a command-and-control (C2) server.

该恶意软件使用Perl开发，使用IRC协议与命令和控制（C2）服务器进行通信。

The latest set of observed attacks involving ShellBot has been found to install the malware using hexadecimal IP addresses – hxxp://0x2763da4e/ which corresponds to 39.99.218[.]78 – in what's seen as an attempt to evade URL-based detection signatures.

涉及ShellBot的最新一组观察到的攻击发现使用十六进制IP地址安装恶意软件，例如hxxp://0x2763da4e/，对应于39.99.218[.]78，这被视为试图逃避基于URL的检测签名。

"Due to the usage of curl for the download and its ability to support hexadecimal just like web browsers, ShellBot can be downloaded successfully on a Linux system environment and executed through Perl," ASEC said.

ASEC表示：“由于下载使用curl以及其支持十六进制与Web浏览器一样，ShellBot可以成功下载到Linux系统环境并通过Perl执行。”

The development is a sign that ShellBot continues to witness steady usage to launch attacks against Linux systems.

这一发展表明ShellBot继续稳步使用以发动攻击Linux系统。

With ShellBot capable of being used to install additional malware or launch different types of attacks from the compromised server, it's recommended that users switch to strong passwords and periodically change them to resist brute-force and dictionary attacks.

由于ShellBot可以用于安装其他恶意软件或从受损服务器发动不同类型的攻击，建议用户使用强密码并定期更改密码以抵抗暴力破解和字典攻击。

The disclosure also comes as ASEC revealed that attackers are weaponizing abnormal certificates with unusually long strings for Subject Name and Issuer Name fields in a bid to distribute information stealer malware such as Lumma Stealer and a variant of RedLine Stealer known as RecordBreaker.

ASEC还透露，攻击者正在武装异常证书，具有不寻常的主题名称和颁发者名称字段，以分发信息窃取恶意软件，例如Lumma Stealer和RedLine Stealer的变种，称为RecordBreaker。

"These types of malware are distributed via malicious pages that are easily accessible through search engines (SEO poisoning), posing a threat to a wide range of unspecified users," ASEC said. "These malicious pages primarily use keywords related to illegal programs such as serials, keygens, and cracks."

ASEC表示：“这些类型的恶意软件通过恶意页面分发，这些页面很容易通过搜索引擎访问（SEO毒化），对各种未指定的用户构成威胁。”“这些恶意页面主要使用与非法程序相关的关键词，如序列号、密钥生成器和破解工具。”

原文始发于微信公众号（知机安全）：ShellBot威胁：十六进制IP地址的新用途