The original Shellbot was capable of brute-forcing the credentials of SSH remote access services on Linux servers protected by weak passwords. The malware then mines privacy-focused monero (XMR). Threat Stack claims that this new-and-improved version is capable of spreading through an infected network and shutting down other miners running on the same machines.
Threat Stack apparently uncovered the new iteration of Shellbot on the Linux server of an unspecified United States company. While it is still unclear how the malware is delivered, the researchers identified three components and found the script used to install it.
The command and control server of the malware is an Internet Relay Chat (IRC) server, which attackers can use to deliver commands and check the status of an infected server. Shellbot was reportedly making about $300 a day, a figure that stands to grow as the malware spreads. Sam Bisbee, chief security officer at Threat Stack, told TechCrunch that the potential of the virus does not end there:
“They are fully capable of using this malware to exfiltrate, ransom, or destroy data.”