Malware analysis: Hands-On Shellbot malware

Shellbot malware is a pervasive threat that exploits misconfigured systems, such as Tomcat applications with default credentials, to gain unauthorized access and execute a variety of malicious activities. Once deployed, it connects to an IRC server to receive commands for tasks like downloading files, performing port scans, exfiltrating data, and participating in DDoS attacks. The malware uses scripts like initd, bash.sh, and ulimit.sh to download additional binaries, modify system configurations, and conceal its presence by erasing traces. The Sysdig Security Research team analyzed Shellbot using a honeypot setup to track its behavior and provided insights into detecting it with tools like Falco, an open-source project for anomaly detection in applications. Falco rules can be customized to identify suspicious network activities, unauthorized file executions, and modifications to system files. By employing such tools, administrators can protect their environments against this and similar threats, ensuring the integrity and security of their systems.