Shellbot cryptojacking malware shuts down other cryptominers

Getting your Trinity Audio player ready...

Cryptojacking has continued to evolve, with the hackers seeking to find new ways to mine more crypto from their victims. And now, one cryptojacking malware is going a step further by shutting down the other cryptominers in a system. In doing so, it frees up more processing power for its own cryptojacking operation.

Known as Shellbot, the malware targets Linux servers that are connected to the internet and that have a weak password. After locating its victim, it then uses the SSH brute force technique to break in. This is a technique in which hackers relentlessly try out thousands of common passwords until one of them pans out.

According to a report by Boston-based cyber security firm Threat Stack, a new variant of Shellbot has added some new capabilities. Once the hackers install the malicious payload on a server, they can run commands remotely as well as check the status of the malware. Once installed, the malware begins mining Monero, a crypto that has proven popular with cryptojackers due to its ease of mining and supposed anonymity.

The Shellbot malware, which was first discovered by cyber security firm Jask, sends the mined Monero tokens to a MoneroHash server. Threat Stack found that the malware was making $300 a day. As it infects more servers, this figure could skyrocket.

The Threat Stack team also believes that the threat goes beyond cryptojacking. Shellbot’s ability to evolve and add new features could allow it to target its victims in more ways than one.

Threat Stack’s chief security officer Sam Bisbee told TechCrunch:

“The threat actors behind this campaign have shown the ability and willingness to update this malware with new functionality after it has gained a foothold on an infected system. They are fully capable of using this malware to exfiltrate, ransom or destroy data.”

Threat Stack found the malware on a Linux server belonging to one of its clients. It withheld the client’s name, only revealing that it’s a U.S company with international operations. The infected server was shut down after the security team realized that the hackers were using it to target other vulnerable machines.

Just recently, a report revealed that over 150,000 Electrum wallets have been infected with malware. The hackers have already stolen over $4.6 million worth of Bitcoin Core (BTC).