A cybercriminal group called Outlaw is using a Perl Shellbot to go after large organizations’ Internet of Things (IoT) devices.

The Trend Micro Cyber Safety Solutions Team observed a Perl Shellbot exploiting CVE-2017-1000117 to distribute an Internet Relay Chat (IRC) bot. This vulnerability enables attackers to pass a crafted “ssh://…” URL to unsuspecting victims and execute programs on their devices. According to Trend Micro, this threat can affect enterprise IoT devices, Linux servers, Windows-based environments and Android devices.

Outlaw communicates with the botnet using two compromised servers that belong to a Japanese art institution and a Bangladeshi government website. The threat group linked these two servers to a high-availability cluster to host an IRC bouncer and leveraged this asset for command-and-control (C&C) to target large businesses in more than a dozen countries, including the U.S., Germany, Israel and Japan.

The Ongoing Threat of IRC Botnets

IRC botnets are nothing new. In late 2016, MalwareMustDie observed attackers using new malware they called Linux/IRCTelnet to perform distributed denial-of-service (DDoS) attacks via an IRC botnet. More than a year later, Arbor Networks reported that attackers had used MedusaIRC and its IRC-based C&C to craft MedusaHTTP, an HTTP-based DDoS botnet written in .NET.

Unfortunately, it’s not difficult for cybercriminal groups like Outlaw to create this type of threat. Trend Micro observed that the code Outlaw used in its attacks is available online. Anyone can use that code to create a bot with an undetectable toolset.

How to Protect Enterprise IoT Devices From Outlaw

To protect their organizations against Outlaw’s activity, Trend Micro recommended monitoring for the creation of new accounts and restricting the use of FTP as much as possible. Security teams should also use reliable threat intelligence to block known malicious URLs and invest in security information and event management (SIEM) technology to identify unknown threats.

Sources: Trend Micro, MalwareMustDie, Arbor Networks

more from

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti…

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT…