ShellBind exploits SambaCry vulnerability

Patches are available for this vulnerability and should be applied as soon as possible.

There are other strains of malware which target this vulnerability in order to mine Monero, a cryptocurrency, however, they differ in the types of devices they typically target and ShellBind is believed to be used to create a backdoor in order to allow an attacker to exfiltrate data.

Other malware, such as CPUminer, EternalMiner or PhotoMine, have infected devices via this vulnerability before, however, they weren’t designed to create a backdoor. That’s not to detract from the significance of becoming infected by such malware, but, ShellBind is believed to create back doors on NAS devices with the aim to then exfiltrate data, which can then be sold on underground forums. This can lead to reputational loss of the compromised organisation, depending on the type of data that is stolen and also opens up the organisation to the possibility of being held to ransom.

According to a number of researchers, during the infection process, the Trojan alters the local firewall in order to allow traffic into 61422/TCP, a port that is sometimes associated with Apple’s Xsan protocol. The malicious actors may have specifically chosen to use this port in the hope that if anyone notices communications on that port and checks it, they may think that it is legitimate and not pay much further attention to it.

The purpose for opening this port is to allow access to a remote attacker to the compromised device. Once infected, ShellBind contacts a Command and Control (C2) server on 80/TCP in order to alert the malicious actor of the compromise. The actor then is able to manually attempt to compromise other devices.

Inside the code of the Trojan, the password to access ShellBinds shell was hard coded and is provided below in th