A malware program which was first found in 2005, Shellbot, has made a comeback with more powers; cryptojacking and switching off other miners. During its early days, the malware was used to forcefully gain access into Linux servers.
Now, Shellbot is being deployed by malicious actors to forcefully mine Monero, one of the popular privacy-centric cryptocurrencies.
In a report released by Threat Stack, a cybersecurity company based in Boston, Shellbot has been spotted on a Linux server of a U.S firm with a global footprint. Although researchers at the cybersecurity firm are yet to uncover how the malware is propagated, they discovered that it uses an Internet Relay Chat (IRC) server for command and control. The IRC server helps Shellbot’s operators to check the level of damage on an infected machine.
TechCrunch reported that the malware is also able to “shut down other cryptominers on infected computers.” Consequently, Shellbot accumulates a considerable chunk of the infected machine’s processing power thereby mining more Monero coins (XMR). Threat Stack estimates that the malware nets attackers approximately $300 within 24 hours.
The cybersecurity firm’s reported added that:
“The man goal of this campaign [Shellbot] appears to be monetary gain via cryptomining and propagating itself to other systems on the internet.”
Apart from cryptojacking and shutting down other cryptominers, Shellbot can exfiltrate and request for a ransom or “destroy data.”
Recently, new or previously dormant cryptojacking malware are finding renewed strength. For instance, another malware, Beapy, has been discovered to be using NSA’s leaked exploits to infiltrate corporate networks and mine virtual currencies.
In March, the developers of CoinHive, a popular browser-based mining services and which was abused by malicious actors, withdraw their support from the project. MalwareBytes, a cybersecurity firm, indicated that the failure of CoinHive signaled cryptojackers would shift their focus from consumers to businesses. Last month, research done by the cybersecurity firm confirmed the new trend.