ISC received a submission from Zach of a Perl/Shellbot.B trojan served by fallencrafts[.]info/download/himad.png. The trojan has limited detection on Virustotal  and the script contains a “hostauth” of sosick[.]net and the IRC server where the compromised systems are connecting to is located at 18.104.22.168. What we have so far, it appears it is exploiting older version of Plesk.
md5: bca0b2a88338427ba2e8729e710122cd himad.png
sha-256: 07f968e3996994465f0ec642a5104c0a81b75b0b0ada4005c8c9e3cfb0c51ff9 himad.png
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.