The IptabLes and IptabLex botnet is built from compromised Linux servers. Attackers have exploited Linux servers that run unpatched versions of Apache Struts and Tomcat with vulnerabilities. Misconfigured Elasticsearch instances have also been targeted.
Once the Linux system has been compromised, attackers escalate privileges and infect the system with IptabLes or IptabLex malware. At the time of the advisory, the botnet has been used mainly to attack Entertainment verticals. The IptabLes IptabLex bots may be used to target other industries.