A malware known as SHELLBIND has been detected and is said to have advanced capabilities to target network-attached storage (NAS) appliances. The malware which basically exploits the CVE-2017-7494 vulnerability dubbed as the SambaCry that allows attackers to take control of the affected devices.
This not the first time that SambaCry vulnerability has been exploited. The 7 year old flaw was recently patched after which it was used to convert Linux based computers to crypto-currency miners.
The malware detected as ‘ELF_SHELLBIND.A’ was first discovered on July 3. Latest analysis and reports point out to the fact that this malware has been designed to target IoT devices and NAS appliances. The attackers are able to detect Samba enabled devices with the help of Shodan. This can be done by searching for port 445 with the Samba string which will in turn display a list of IP addresses.
Once the IP addresses of the devices that is supported by Samba has been detected, the attacker just needs to create a tool that would send malicious codes to the IP addresses. Once these codes are injected to the public folders of the targeted IP addresses, the devices with the SambaCry vulnerability gets infected with the SHELLBIND malware.
The malware then sends a knock message to the C&C server believed to be located in East Africa with the IP address 169[.]239[.]128[.]123. The malware then allows the attacker to gain access to the 61422 port and once this is done a message is sent to the attacker asking for a password. After the password ‘Q8pGZFS7N1MObJHf’ is entered the attacker gains control of the device.
There is no doubt that the SHELLBIND malware has advanced capabilities to infect systems with the SambaCry Vulnerability. However, the operating system patch for this vulnerability has already been released which points out to the fact that the patched up systems would not be affected by the SHELLBIND malware.