Shellbot Malware

 

 

Shellbot, first written about by Jask in February, now uses an old but reliable SSH brute force technique to break into internet-connected Linux servers with weak passwords to infect a system and mine cryptocurrency.

But now the malware has new capabilities allowing it to spread through a network and shut down other cryptominers on infected computers, allowing the malware to free up more processing power for its own cryptomining operation.

The malware has three components. Although it’s not known exactly how the malware is delivered, the researchers found the dropper script used to install the malicious payload from the malware’s command and control server, an IRC chat server, which the hackers can use to check the status of the malware and remotely run commands. Using a 272-line script, the malware checks to see if any other cryptominers are on the system and installs its own. Then, the cryptominer begins mining Monero, a privacy-focused cryptocurrency, and sends the proceeds back to a MoneroHash server.

Source: TechCrunch

How do you protect yourself?

Proper security measures must be in place to defend against Shellbot Malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-10952

 

 

An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a stack-based buffer overflow vulnerability. A cold restart is required for recovering CompactLogix 5370 L1, L2, and L3 Controllers, Compact GuardLogix 5370 controllers, and Armor Compact GuardLogix 5370 Controllers Versions 20 to 30.014 and earlier systems.

Source: NIST

How do you protect yourself?

Ensure you’re updated with the latest firmware patches.

 

Sodinokibi Ransomware

 

 

A recently-disclosed critical vulnerability in Oracle WebLogic is being actively exploited in a slew of attacks, which are distributing a never-before-seen ransomware variant.

The ransomware first came onto researchers’ radar on April 25 (the day before a patch was released), after attackers attempted to make an HTTP connection with a vulnerable Oracle WebLogic server.

Once attackers found a vulnerable server, they sent an HTTP POST request to that server. The request contained a PowerShell command, which downloaded a file called “radm.exe.” That then saved the ransomware locally and executed it.

Once downloaded, the ransomware encrypted the victim’s systems and displayed a ransom note to them, directing victims to a page on the Tor network to a domain (decryptor[.]top) the public web, which was registered on March 31 this year.

Source: ThreatPost

How do you protect yourself?

Proper security measures must be in place to defend against Sodinokibi Ransomware and similar threats. Ensure your systems have the latest patches installed. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.