Mumblehard features two basic components:
Both written in the Perl programming language and "feature the same custom packer written in assembly language."
The backdoor allows hackers to infiltrate into the system and control the command and control servers, and the Spamming daemon is a behind-the-scenes process that focuses on sending large batches of spam emails from the infected servers.
The Mumblehard operators have been active for over five years, and perhaps even longer, without any disruption.
"Malware targeting Linux and [OpenBSD] servers [are] becoming more and more complex," Eset researchers wrote. "The fact that the [malware creator] used a custom packer...is somewhat sophisticated."
However, it isn't "as complex as the Windigo Operation we documented in 2014. Nonetheless, it is worrying that the Mumblehard operators have been active for many years without disruption."
Who is responsible for the spambot network?
The Mumblehard Linux malware actually exploits vulnerabilities in WordPress and Joomla content management systems in order to get into the servers.
Additionally, Mumblehard malware is also distributed by installing ‘pirated’ versions of a Linux and BSD program called DirectMailer, software developed by Yellsoft used for sending bulk e-mails and sold for $240 through the Russian firm's website.
So, when a user installs the pirated version of DirectMailer software, the Mumblehard operators gets a backdoor to the user's server that allows hackers to send spam messages.
Web server administrators should check their servers for Mumblehard infections by looking for the so-called unwanted cronjob entries added by the malware in an attempt to activate the backdoor every 15-minute increments.
The backdoor is generally located in the /var/tmp or /tmp folders. You can deactivate this backdoor by mounting the tmp directory with the noexec option.