14 DAY TRIAL // A new botnet controlled via IRC and using a Shellbot variant has been propagating using vulnerabilities in Internet of things (IoT) devices, Linux servers, Android devices, and Windows machines according to Trend Micro's research.
As discovered by the Trend Micro Cyber Safety Solutions Team, the botnet has been created by a Romanian threat group named Outlaw and is using the servers of a Bangladeshi government website and a Japanese art institution as command-and-control (C&C) servers, among many others.
The threat actors use an IRC bouncer running on the botnet C&C servers to control the botnet by issuing commands to the bots in an IRC channel.
Trend Micro also discovered that although initially the botnet used a Shellshock vulnerability exploit to propagate itself, the actors who control it migrated to using previously compromised machines as bot hosts.
After gaining access to a target device, the bot payload is downloaded and started, subsequently starting communication with the C&C server and obtaining persistence on the victim machine.
The botnet might have already compromised more than 65K devices
The bots will then connect to an IRC network and automatically join a channel which is also the control platform for all bots.
The IRC channels joined by the bots allow the botnet's masters to issue a wide range of commands, from downloading files and listing system information to port scanning and DDoS attacks.
Beside the exploit files found by Trend Micro which allowed the researchers to gather information regarding the device exploitation process, they also discovered a hacking toolset that made it easy to target organization using SSH brute force and DoS attacks.
"The file, gasite.txt, contains the loot and is the final output of the Haiduc tool, where the brute forcing resulted in 65,288 possibly compromised hosts," as stated by Trend Micro in their research appendix.
Among the devices successfully compromised by the Outlaw group, Trend Micro found database servers, network switches, VPN gateways, smart car charging systems, honeypots, and firewalls from all over the world.
