Trickbot and Shellbot malware threats

Trend Micro released two new reports on malware threats named Trickbot and Shellbot.

Trickbot added a new password grabber module this month. Cyber criminals had previously added screen-locking and detection evasion features to Trickbot (previously known as just a simple banking trojan) last year.

According to Trend Micro, Trickbot “steals access from several applications and browsers, such as Microsoft Outlook, Filezilla, WinSCP, Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge.”

The latest Trickbot variant has affected users mainly in the United States, Canada, and the Philippines.

“Malware authors continue to cash in on Trickbot’s modular structure — its ability to continually update itself by downloading new modules from a C&C server and change its configuration make for a malware that’s ripe for updating,” Trend Micro added. 

Trend Micro also spotted a new Perl-based botnet dubbed Shellbot targeting organizations via command and control (C&C) systems.

Trend Micro uncovered the hacking group operations named “Outlaw” that involves the use of an IRC bot built via Perl Shellbot. 

“The group distributes the bot by exploiting a common command injection vulnerability on internet of things (IoT) devices and Linux servers. Further research indicates that the threat can also affect Windows-based environments and even Android devices,” Trend Micro said. 

The hackers exploited a vulnerability to compromise an FTP server of a Japanese organization and a Bangladeshi government website site via Dovecot mail server vulnerability. The hackers in turn added and linked the compromised systems to a high availability cluster to host an IRC bouncer, used for C&C of the botnet. 

“The botnet itself is built with a Shellbot variant with script written in Perl and even available on GitHub. The botnet was previously distributed via an exploit of the Shellshock vulnerability, hence the name ‘Shellbot.’ This time, the threat actors mostly distribute it via previously brute-forced or compromised hosts,” Trend Micro added. 

Leave a Reply

Close Menu