Linux systems are under attack by a malware campaign to mine Monero (XMR), a privacy-centric coin. It uses a new version of Shellbot trojan to bridge a tunnel between the infected system and a C&C server, which is operated by the attackers.

Jask Special Ops researchers described the Shellbot as an Internet Relay Chat (IRC) botnet. It is distributed through common command injection vulnerabilities. According to Cyware, “the researchers noted that the trojan targets vulnerable Linux servers as well as the Internet of Things (IoT) devices.” It can also infect Windows OS and android devices. “Once the servers of the targeted organizations are compromised, the threat group adds a botnet to strengthen its campaign, the botnet is detected as the new version of Shellbot trojan,” says the Cyware.

The Shellbot trojan is capable of downloading additional payloads, collecting system and personal data, opening remote command line shells, receiving additional payloads from controllers, and terminating or running tasks and processes. It can also send stolen information to a C&C server.

Linux’s official portal stated that “the backdoor is able to collect system and personal data, terminate or run tasks and processes, download additional payloads, open remote command line shells, send stolen information to a C2 and also receive additional malware payloads from controllers.” It further highlighted that threat actors target organizations through denial-of-service (DoS) and SSH brute-force techniques.

The same group had been behind the November attacks, whereby it compromised the FTP server of a Japanese art organization and a Bangladesh government website. Researchers and experts are keeping a look out for the Shellbot trojan because its evolving and the C2 server is very much active.