Shellbot malware evolves to spread and shuts down other cryptominers

When hackers want to make a quick buck, mining cryptocurrency seems to be the way to go.

New research out Wednesday by Boston-based security firm Threat Stack shared exclusively with TechCrunch reveals a new variant of the Shellbot malware is taking a leaf out of the other cryptocurrency mining by breaking into computers and using their resources to make money.

Shellbot, first written about by Jask in February, now uses an old but reliable SSH brute force technique to break into internet-connected Linux servers with weak passwords to infect a system and mine cryptocurrency.

But now, Threat Stack says, the malware has new capabilities, allowing it to spread through a network and shut down other cryptominers on infected computers, allowing the malware to free up more processing power for its own cryptomining operation.

“The main goal of this campaign appears to be monetary gain via cryptomining and propagating itself to other systems on the internet,” the research said.

The researchers found the malware on a customer’s Linux server, but declined to name the customer — only that it’s a U.S.-based company with a global footprint. The system was shut down after it was found to be used to target other vulnerable machines.

The malware has three components. Although it’s not known exactly how the malware is delivered, the researchers found the dropper script used to install the malicious payload from the malware’s command and control server, an IRC chat server, which the hackers can use to check the status of the malware and remotely run commands. Using a 272-line script, the malware checks to see if any other cryptominers are on the system and installs its own. Then, the cryptominer begins mining Monero, a privacy-focused cryptocurrency, and sends the proceeds back to a MoneroHash server.

According to the MoneroHash campaign, the malware was making about $300 a day — or $8,000 in total. But the more servers infected, the greater the cryptomining returns will be.

“The threat actors behind this campaign have shown the ability and willingness to update this malware with new functionality after it has gained a foothold on an infected system,” Sam Bisbee, chief security officer at Threat Stack, told TechCrunch.

“They are fully capable of using this malware to exfiltrate, ransom or destroy data,” he said.

Shellbot is the latest malware to put a premium on mining cryptocurrency rather than just exfiltrating files. It emerged last week that a new malware, Beapy, was using leaked National Security Agency hacking tools to burrow into corporate networks to mine cryptocurrency at the file level.

Bisbee said the company is continuing to investigate Shellbot, but that the malware was likely “being used broadly based on its capabilities.”