SHELLBIND Malware exploits SambaCry to backdoor NAS devices

A new malware dubbed as SHELLBIND exploits the recently patched CVE-2017-7494 Samba vulnerability attacking Internet of Things devices.

CVE-2017-7494 is a seven-year-old remote code execution vulnerability that affects all versions of the Samba software since 3.5.0. The flaw has been patched by the development team of the project.

The vulnerability dubbed as SambaCry, because of its similarities to the Windows SMB vulnerability exploited by the WannaCry ransomware .

Despite being patched in late May, the vulnerability is currently being leveraged by a new piece of malware to target the Internet of Things (IoT) devices, particularly Network Attached Storage (NAS) appliances, researchers at Trend Micro warned.

Samba is open-source software (re-implementation of SMB/CIFS networking protocol), which offers Linux/Unix servers with Windows-based file and print services and runs on the majority of operating systems, including Linux, UNIX, IBM System 390, and OpenVMS.

Shortly after the public revelation of its existence, the SambaCry vulnerability (CVE-2017-7494) was exploited mostly to install cryptocurrency mining software—”CPUminer” that mines “Monero” digital currency—on Linux systems.

SHELLBIND has infected most network-attached storage (NAS) appliances, it exploits the Samba vulnerability (also known as SambaCry and EternalRed) to upload a shared library to a writable share, and then cause the server to load that library.

This trick allows a remote attacker to execute arbitrary code on the targeted system.

Experts at Trend Micro discovered that the ELF_SHELLBIND.A is delivered as a SO file to Samba public folders, then the attacker load and execute it by exploiting the SambaCry vulnerability.

The analysis published by Trend Micro states that :“This more recent malware is detected as ELF_SHELLBIND.A and was found on July 3. Similar to the previous reports of SambaCry being used in the wild, it also opens a command shell on the target system. But ELF_SHELLBIND.A has marked differences that separate it from the earlier malware leveraging SambaCry. For one, it targets internet of things (IoT) devices—particularly the Network Attached Storage (NAS) devices favored by small to medium businesses.” 

After uploading the .SO file to the Samba public shared folder, the attacker needs to guess the absolute local filename and send an IPC request to trick the server into loading and running the locally-stored program file.


Once the malware is loaded via said Export function, it starts by calling the function change_to_root_user, which is required by the Samba daemon (specific to SMBv2) to run as root or as the EUID of the current user. The malware then detaches itself from whatever parent process it is running under (a Samba server process) and daemonizes its process (via the function detach_from_parent). Once deployed on the targeted machine, the malware establishes communication with the attackers’ command and control (C&C) server located in East Africa, and modifies firewall rules to ensure that it can communicate with its server.“169[.]239[.]128[.]123” over TCP, port 80.

After successfully establishing a connection, the malware grants the attackers access to the infected device and provides them with an open command shell in the device, so that they can issue any number and type of system commands and eventually take control of the device.

“Once the connection is successfully established and authentication is confirmed, then the attacker will have an open command shell in the infected systems where he can issue any number of system commands and essentially take control of the device,” continues Trend Micro.

nt pipe support = no

to the Samba configuration file and restarting the network’s SMB daemon.

The change will limit clients from accessing some network computers.

The maintainers of Samba already patched the issue in Samba versions 4.6.4/4.5.10/4.4.14, so you are advised to patch your systems against the vulnerability as soon as possible.

Just make sure that your system is running updated Samba version.

Also, attackers need to have writable access to a shared location on the target system to deliver the payload, which is another mitigating factor that might lower the rate of infection.

Author: Cognore

Cyber Security Solution

One thought on “SHELLBIND Malware exploits SambaCry to backdoor NAS devices”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s