Gitlab RCE Stealth Shellbot

Last year, a major RCE was found in GitLab, CVE-2021-22205, where GitLab versions >= 11.9 and <13.10.3 were affected due to improper image validation before passing it to a file parser.

Malicious image

The DjVu image is considered a legacy format, so not much attention has been paid to it. The GitLab RCE depends on a vulnerability in ExifTool, CVE-2021-22204, where improper parsing of annotations, including a dangerous eval to add quotes to a string, caused an RCE. A patch was created on the 13th April 2021 in this commit.


Loader script

Temporary memory file system

The script clears the temporary memory file system and creates the folder /dev/shm/kthzabor, which is an attempt to prevent the kthzabor mining malware from working.


Process killing

Hardcoded list

Many processes are attempted to be killed, such as databases, miners, various other malware, task managers and both defensive and offensive security tools.



pbotbyjanhotzu is likely a competing malware, but it doesn’t appear to have been reported on.


Network server killing


Any processes listening on ports associated with mining malware are also killed.

Mining malware killing


Processes with names possibly linked to mining malware such as sysrv-hello are killed. Mining processes are often very simply, where a regular script is executed with the pool ip address as an argument, so these are also killed.

Payload execution


Finally a perl script is fetched and executed.


The payload itself appears to be called “Stealth Shellbot”, which appears to have been in use since at least the 23rd Nov 2015. It appears to be adapted from “ShellBOT”, found on github. The authors may be Portuguese.


The bot connects to an IRC server and joins a channel.



VERSIONSends back the bot version
PINGSends back PONG
portscanScans ports 21, 22, 23, 25, 53, 80, 110, 143 on a host
downloadDownloads a payload
fullportscanScans a port range on a host
udpUDP flood
udpfaixaUDP range flood
conbackOpens a reverse shell
oldpackSends back a status message


The main evasion technique used is changing the process name to “/usr/local/apache/bin/httpd -DSSL”.




  • 0d00200acb2caf4e2bc52285795bb13cb916fc051550c8e9dd3a19897068a494
  • 9e52e0b8a9d3a3de2159c03974f0b778fe4c910fa09e7084435031f34cc0ff0e
  • 7b4ef0d14bec12844653b4dbaed7db96bcdd04bbc755d4b42970a065a9a3886d



Processes killed:

  • mysqldd
  • monero
  • kinsing
  • sshpass
  • sshexec
  • attack
  • dovecat
  • kthzabor
  • donate
  • ‘scan.log’
  • xmr-stak
  • crond64
  • stratum
  • /tmp/java
  • pastebin
  • /tmp/system
  • excludefile
  • agettyd
  • /var/tmp
  • ‘./python’
  • ‘./crun’
  • ‘./.’
  • ‘118/’
  • ‘.6379’
  • ’'
  • ‘’
  • ‘’
  • ‘.rsyslogds’
  • pnscan
  • masscan
  • kthreaddi
  • sysguard
  • kthreaddk
  • kdevtmpfsi
  • networkservice
  • sysupdate
  • phpguard
  • phpupdate
  • networkmanager
  • knthread
  • mysqlserver
  • watchbog
  • xmrig
  • /dev/shm
  • pbotbyjanhotzu