Cybersecurity experts have recently unveiled details about a sophisticated botnet known as SSHStalker, which employs the Internet Relay Chat (IRC) protocol for command-and-control (C2) operations. This new threat targets legacy Linux systems, exploiting older vulnerabilities that continue to exist within forgotten or outdated infrastructure.
Understanding SSHStalker’s Approach
According to cybersecurity firm Flare, SSHStalker employs a combination of stealth tactics and obsolete Linux exploits. These include log tampering tools and rootkits, which allow the botnet to avoid detection. Despite the age of the exploits, originally affecting Linux kernel versions from 2009 to 2010, they remain effective against neglected systems. The botnet uses an automated approach to identify and compromise vulnerable systems, incorporating them into IRC channels for control.
Mechanics and Tools Used
Unlike typical botnets that engage in activities like DDoS attacks or cryptocurrency mining, SSHStalker focuses on maintaining access and control without immediate post-exploitation actions. This dormant behavior suggests the infrastructure might be used for strategic purposes in the future. A key element of SSHStalker is its Golang-based scanner, which targets port 22 to identify open SSH servers, spreading rapidly in a worm-like manner. The attack toolkit includes various payloads, such as IRC-controlled bots and Perl scripts, which are designed to execute network flooding attacks and manage compromised bots.
The malware also employs C programs to clean SSH connection logs, erasing malicious activity traces to evade forensic analysis. Additionally, a “keep-alive” feature ensures the main malware process is quickly relaunched if terminated by defense mechanisms.
The Threat Actor and Potential Origins
Flare’s research into the botnet’s infrastructure revealed a vast array of offensive open-source tools and malware samples, including rootkits, cryptocurrency miners, and scripts for stealing AWS credentials. The presence of Romanian-style elements in IRC channels led researchers to suspect a Romanian origin for the threat actor, potentially linked to the Outlaw hacking group. This group is known for its disciplined operations and use of mature orchestration techniques, rather than developing new exploits or rootkits.
SSHStalker’s strategy demonstrates a focus on efficient mass compromise and long-term persistence across heterogeneous Linux environments, relying heavily on C language for core components and using shell scripts for orchestration and maintenance tasks.
As SSHStalker continues to exploit legacy systems, organizations are urged to review and update their cybersecurity measures to protect against this and similar threats. The reliance on outdated vulnerabilities underscores the importance of maintaining up-to-date security practices to prevent exploitation by advanced botnets like SSHStalker.
