The Mayhem botnet is here to wreak, well, mayhem—and it’s using the Shellshock vulnerability to do it with fresh purpose.
Shellshock continues to have repercussions across the web, with various baddies both known and unknown using it as a fresh vector for harm. In this case, the Mayhem botnet, which is used to brute-force passwords in Joomla and Wordpress, among other things, is targeting various *nix services, utilizing the Shellshock scan method to download a remote installer.
The Mayhem Shellshock version, as detailed by MalwareMustDie, scans for Shellshock-vulnerable hosts, and upon discovering an unprotected server, will download a Perl installer script.
“The script will be executed in/tmp to execute the [Mayhem] library, and delete it after being executed, so there is no remote file accessed to trigger the infection (unlike the PHP installer version),” explained the group. “The binaries will be loaded in memory…and stay resident to perform the further botnet operation.”
Mayhem is a multi-purpose modular bot for web servers. Originally uncovered by Yandex over the summer, Mayhem essentially is a fresh kind of malware for *nix web servers that has the functions of a traditional Windows bot, but which can act under restricted privileges in the system.
“Over the last several years, malware writers have clearly come to understand that gaining access to web servers can bring more benefits than infecting users’ PCs,” Yandex explained in an analysis. “Nowadays, there are millions of completely unprotected web servers with different kinds of vulnerabilities, so it is easy for attackers to upload web shells and gain access to them. Although in the vast majority of cases such access is restricted by the web server’s rights on the target system, attackers successfully find ways to gain maximum advantage”
The new attacker IPs that use Shellshock are a combination between known Mayhem bots and unknown sources (including the suspected possibility of new panels/CNC/bots).
“The threat is still not being neutralized yet and is still active (has just been started is more like it) in infecting us,” MalwareMustDie researchers said. “We are decided to be in a hurry to raise this alert for the threat awareness. If Mayhem botnet uses shellshock, and this is a very serious threat, please work and cooperate together in good coordination in order to stop the source of the threat.”