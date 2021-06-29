With the exponential rise in the value of cryptocurrency, cybercrime endeavors based on these digital coins have been rising as well. Aside from the devastating rise of ransomware attacks, the illegal mining of cryptocurrency on devices one does not own, aka cryptojacking, has become a commercial-grade threat used in the hands of lone criminals and organized groups alike. In some cases, cryptojacking operations that keep mining farms processing coins reached the magnitude of a $50 million business for their bot masters.

The ShellBot malware lives within this ecosystem. While it is a rather simple piece of Perl-based code, it enables attackers to mount Internet Relay Chat (IRC)-controlled botnets that command coin mining on computers, Linux servers, Android devices and Internet of Things devices. The one requirement is having a weak password, as ShellBot’s typical entry point is a brute-force attack; the other is a command injection on servers that accept remote commands from the command-line interface (CLI).

While it started out as a basic IRC bot, over time, ShellBot has been using effective exploits to compromise servers and devices. It started out with a ShellShock (CVE-2014-6271) campaign, which is how it got its name, but over the years has used Drupalgeddon (CVE-2018-7600) and other exploits that can compromise large swaths of devices. ShellBot has also been evolving its features to better spread through networks and disable competing infections to ensure all the computing power is used for its own goals. ShellBot’s objective, in most cases, is mining for Monero coin.