Unknown attackers exploit the vulnerability of SambaCry to install backdoors on Linux-based devices that use older versions of the Samba file-sharing server.

Details of the vulnerability of SambaCry, also known as EternalRed (CVE-2017-7494), were disclosed in May of this year. Two weeks after its public disclosure, hackers began exploiting the vulnerability to infect Linux servers with the miner of the crypto currency EternalMiner. Now, Trend Micro experts found that SambaCry exploits also use SHELLBIND malware.

SHELLBIND is a simple backdoor Trojan that allows you to remotely open a shell on infected devices. The malicious program changes the policies of the local firewall and opens the TCP port 61422, so that the attacker can connect to the hacked device. SHELLBIND informs its operator about the successful infection by pinging the server 169 [. ] 239 [. ] 128 [. ] 123 through port 80. The attacker extracts new IP addresses from the server's log and manually connects to each infected host through port 61422. Access to the Trojan shell is protected by a password embedded in the malicious code.

Unlike EternalMiner, which mostly infects Linux servers, SHELLBIND was discovered primarily on networked storage (NAS), although it also infects other devices of the Internet of Things (IoT).