ShellBot DDoS Malware Installed Through Hexadecimal Notation Addresses

AhnLab Security Emergency response Center (ASEC) has recently discovered a change in the distribution method of the ShellBot malware, which is being installed on poorly managed Linux SSH servers. The overall flow remains the same, but the download URL used by the threat actor to install ShellBot has changed from a regular IP address to a hexadecimal value.

• hxxp://0x2763da4e/dred


• hxxp://0x74cc54bd/static/home/dred/dred

1. Past Case of URL Detection Evasion

Typically, IP addresses are used in the “dot-decimal notation” format, with threat actors …

actor addresses ahnlab asec center change ddos distribution download emergency flow install linux malware malware analysis managed response security servers shellbot ssh ssh servers threat threat actor url