Security Affairs
Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

A new BASHLITE variant infects devices running BusyBox

A new variant of the BASHLITE malware exploiting the ShellShock vulnerability was used by cyber criminals to infect devices that use BusyBox software. A new strain of the BASHLITE malware was detected by experts at Trend Micro shortly after the public disclosure of the ShellShock bug. The malware, named ELF_BASHLITE.A (ELF_FLOODER.W), includes the payload of the ShellShock exploit […]

A new BASHLITE variant infects devices running BusyBox

A new variant of the BASHLITE malware exploiting the ShellShock vulnerability was used by cyber criminals to infect devices that use BusyBox software.

A new strain of the BASHLITE malware was detected by experts at Trend Micro shortly after the public disclosure of the ShellShock bug.

The malware, named ELF_BASHLITE.A (ELF_FLOODER.W), includes the payload of the ShellShock exploit code and it had been used by threat actors to run distributed denial-of-service (DDoS) attacks.

The new variant of the ELF_BASHLITE.A is able to infect devices were running BusyBox, a software that provides several Unix tools in a single executable file. BusyBox is specific embedded operating systems. Many routers and other network appliances run the software to advantage maintenance activities.

“we observed that recent samples of BASHLITE (detected by Trend Micro as ELF_BASHLITE.SMB) scans the network for devices/machines running on BusyBox, and logs in using a set of usernames and passwords (see figure 4 below). Once a connection is established, it runs the command to download and run bin.sh and bin2.sh scripts, gaining control over the Busybox system.” Rhena Inocencio, threat response engineer at Trend Micro, wrote in a blog post

The new variant of the BASHLITE malware is able to identify systems running BusyBox software and hijack them. The attack scenario is very simple, the malicious code first scans the network searching for the application and attempts to access them by using a set of credentials from a predefined dictionary. The list of passwords includes “root,” “admin,” “12345,” “pass,” “password” and “123456.”

bashlite busy passwords

 

Once the malware has gained the access to the software, it runs the command to download and run a couple of scripts bin.sh and bin2.sh scripts, to gaining control over the Busybox system.

“Once a connection is established, it runs the command to download and run bin.sh and bin2.sh scripts, gaining control over the Busybox system. BusyBox is built on top of the Linux kernel and used by small devices such as routers. Remote attackers can possibly maximize their control on affected devices by deploying other components or malicious software into the system depending on their motive.”

Trend Micro invites administrators to change the default settings for their network devices and disable remote shell, if possible, to avoid its exploitation.

In October, experts at The Malware Must Die detected numerous attack worldwide exploiting the Bash Bug flaw to spread the Mayhem botnet.

The experts sustain that attacks using the exploit could top 1 billion in a short time, for this reason principal IT firms started releasing software updates to patch their solution and avoid the exploitation of the ShellShock flaw.

Unfortunately, there are many reasons that could hinder the patching of many systems that remain vulnerable to this kind of attack.

Last illustrious victim in order of time was BrowserStack, the cross-browser testing service; one of its servers was compromised using a ShellShock exploit that allowed attackers to access customer data.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  ShellShock, BASHLITE)