Open-Source Botnet That Obtain SSH Shell Access


The digital age offers opportunities but also increases the importance of cybersecurity as threats grow in complexity and sophistication, making preparedness a top priority.

Open-source botnets are now a hot topic in cybersecurity due to their accessibility and rapid adaptability against security measures.

Cybersecurity researchers at SOCRadar recently reported about an open-source botnet, Supershell, that obtains SSH shell access.

Supershell Botnet

Supershell is an open-source botnet that offers rapid one-click Docker-based deployment with integrated reverse SSH for team collaboration and interactive control.



Document

FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware


This botnet deploys small client payloads across multiple platforms, enabling SSH server setup for rapid access and offering a versatile range of functions.

Researchers closely analyzed recently discovered Supershell Botnet Panels, taking an operational approach to gain deeper insights through panel infiltration.

Security analysts successfully tracked active Supershell panels using a tailored Urlscan search query, revealing valuable insights.

Urlscan search
Urlscan search (Source – SOCRadar)

Supershell Botnet

In the past month, researchers found 85 Supershell Botnets. The latest detections occurred just an hour before the query, indicating a constant rise in active panels.

Analysts gained login credentials during the operation, which typically required only a username or username with password, mirroring the Supershell Botnet’s login process.

Supershell panel login page (Source - SOCRadar)
Supershell panel login page (Source – SOCRadar)

Security experts swiftly detected Supershell panels, gaining access to one for interface examination, revealing the following things:-

  • System views
  • Access options
  • Log access
Supershell botnet panel interface
Supershell botnet panel interface (Source – SOCRadar)

Experts accessed the infected systems page and found diverse systems from various countries and operating systems within the Botnet. 

Even they logged into a few panels, some with created malware, but, no infected systems were found yet.

Infected systems
Infected systems (Source – SOCRadar)

The SOCRadar Threat Research team collaboratively monitored Supershell botnet panels, gaining access to one with 118 infected Linux devices. They found two distinct malware strains, both configured to connect to the Supershell panel.

The panel’s extensive infections raised eyebrows, but analysis unveiled a file named ‘xmrig,’ suggesting the threat actor’s use of these Linux systems for cryptocurrency mining exploitation.

A total of 45 crypto account addresses were found, with 261 transactions involving a Tron (TRX) wallet in the screenshot account. Experts attempted to trace past activity through the ‘history’ command on connected infected systems.

Researchers discovered 85 active Supershell Botnet panels in the past month and are now examining them closely. 

Using IPinfo, they traced control panel IP addresses to 10 countries and 34 cities, with China having the most detections, possibly linked to Supershell’s Chinese GitHub page.

Distribution of IP addresses
Distribution of IP addresses (Source – SOCRadar)

Out of 85 active Supershell Botnet panels, 52 had infected systems spread across 12 countries and 26 cities. China had the highest number of infected systems, with 41 IP addresses.

Cybersecurity is crucial in the digital era as online attacks become more sophisticated. The rise of open-source botnets draws attention to the necessity for cyber intelligence in the industry.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.



Source link