The Path of an Outlaw, a Shellbot Campaign

The ability of an actor to remain undiscovered or obfuscating its doings when driving a malicious campaign usually affects the gains of such campaigns. These gains can be measured in different items such as time to allow completion of operations (exfiltration, movement of compromised data), ability to remain operative before take down notices are issued, or ability to obtain gains based on for-profit driven crimeware (DDoS for hire, Crypto mining).

In order to achieve such purpose we can usually observe many tactics. At times malicious actors leave clues -- so called “false flags” -- in order to mislead researchers as to who might be behind their actions. These include specific words that may have meaning in other languages, typos that may indicate a foreign person, keyboard signatures of foreign languages, and coding style or coding references from other tools.

Code is written by humans, and no matter how hard they try, when a person behaves, that behavior does not occur in the vacuum. It can be measured in multiple ways, even if code is reused. Certain patterns and techniques used during malicious campaigns can be attributed to specific individuals, and so we have a nomenclature of APT groups, which was precisely created, based on TTPs that can be uniquely or mostly attributed to a group of people.

A newly repurposed version of Shellbot crimeware tool has been spotted in the field using the old but handy IRC service. This campaign appears to be seeking to obtain as much infrastructure resources as possible to monetize and provide DDoS-forhire services and Crypto mining. As of this writing, the campaign and C2 are still active and botnet is growing. The multi-stage payloads suggest reuse and repurpose of shellbot code used by operators in different regions of the world. Newly adapted payloads craft specific mining tasks for different architectures and post exploitation worm-like behavior is also present.