A cybercriminal group called Outlaw is using a Perl Shellbot to go after enterprises’ IoT devices.
The Trend Micro Cyber Safety Solutions Team observed a Perl Shellbot exploiting CVE-2017-1000117 to distribute an Internet Relay Chat (IRC) bot. This vulnerability allows attackers to pass a crafted “ssh://…” URL to unwary victims and execute programs on their devices. According to Trend Micro, this threat can affect enterprise IoT devices, Windows-based environments, Linux servers, and Android devices.
The threat group communicates with the botnet using two compromised servers, a Japanese art institution and a Bangladeshi government website. Outlaw, linked these two servers to a high-availability cluster to host an IRC bouncer and leverage this asset for command-and-control (C&C) to target large enterprises in more than a dozen countries, including the U.S., Germany, Japan, and Israel.
IRC botnets are not new. In late 2016, MalwareMustDie observed attackers using new malware they called Linux/IRCTelnet to perform distributed denial-of-service (DDoS) attacks via an IRC botnet. Over a year later, Arbor Networks reported that attackers had used MedusaIRC and its IRC-based C&C to craft MedusaHTTP, an HTTP-based DDoS botnet written in .NET (Dot NET) framework.
Unfortunately, it’s not so difficult for cybercriminal groups like Outlaw to create this type of threat. Trend Micro observed that the code, the threat group used in its attacks is available online. Anyone can use that code to create a bot with an undetectable toolset.