Recently, the Thread Stack and Security Operations Center (SOC) teams discovered the evolution of a malware already known since 2005, Shellbot, which has now been modified to mine Monero, interrupting the other mining systems active on the victim’s computer.
This type of malware was initially designed to penetrate, through a brute force attack, the Secure Shell (SSH) of the computer, a protocol used to gain remote access to the system.
The new version of Shellbot, in addition to maintaining the same features, allows you to mine the Monero (XMR) cryptocurrency, which is, unfortunately, the preferred for this type of operations due to the privacy it provides compared to other virtual currencies.
This malware also runs on Linux systems. To do so, it installs 3 components using customized scripts. The malware commands and controls are located on an IRC (Internet Relay Chat) server, which allows checking and monitoring the status of the infected computer, allowing, according to some estimates made by the security team, to generate about $300 in Monero for each infected machine.
As stated by Sam Bisbee, Chief Security Officer of Threat Stack:
“The threat actors behind this campaign have shown the ability and willingness to update this malware with new functionality after it has gained a foothold on an infected system. They are fully capable of using this malware to exfiltrate, ransom or destroy data”.