Post banner
SOC Threat Intel 2 Min Read

A Threat Stack SOC Analysis: The Continuing Evolution of the Shellbot Cryptomining Malware

Update: Threat Stack Presents Threat Briefing
On New Cryptomining Shellbot Malware Variant

Available: On demand

About This Threat Briefing

Recently, Threat Stack’s Security Operations Center (SOC) uncovered a variation of the Shellbot malware in a public cloud environment. In this active cryptojacking campaign, the sophisticated malware features several layers of obfuscation and continues to be updated with new functionality after it has gained a foothold in an infected environment.

In this briefing, Threat Stack SOC Analyst Ethan Hansen walks through the details of the newly discovered cryptojacking campaign, including the malware components, actual observed attack path, and the future investigations.

Free Download

Download Threat Stack’s Inside a Docker Cryptojacking Exploit

Threat Stack’s Security Operations Center (SOC) recently discovered an ongoing and evolving malware campaign that leverages a new variant of the Shellbot malware discovered by JASK in November 2018 and published in February 2019. (You can read their full report here.)

In this new variant of the campaign, Threat Stack has identified the addition of a new SSH brute force tool, a secondary command and control method, and the added ability to stop other cryptominers on infected servers.

While this attack appears to leverage SSH brute forcing of default passwords as its initial attack vector, this distributed malware features several layers of obfuscation and continues to be updated with additional functionality after it has gained a foothold in an infected environment.

Overall this is a sophisticated malware campaign that has been updated at least once during our investigation and will likely continue to be updated as time goes on. The primary goal of this Shellbot variant is monetary gain through cryptomining and propagating itself to other systems on the internet. Given its demonstrated ability and willingness to update functionality after achieving persistence on the target system, however, it is possible that the threat actors could decide to leverage this malware to exfiltrate, destroy, or ransom sensitive data on critical systems at any time.

Using proven SecOps security principles, Threat Stack Security Analysts identified and analyzed this ongoing attack campaign as part of the Threat Stack Cloud SecOps Program℠ after the proactive discovery of anomalous outbound SSH connections to hosts known to be malicious. Threat Stack Security Analysts notified the affected customer and analyzed the incident further to determine that the compromised server was being used as a platform to launch SSH brute force attacks against other servers in addition to cryptomining.

The entire scope of the malware campaign is illustrated in the following flow diagram, and you can download a detailed analysis in Threat Stack’s newly released report: The Continuing Evaluation of the Shellbot Malware: A Threat Stack SOC Analysis of the Ongoing Shellbot Cryptomining Campaign.

Click to enlarge