A recently discovered Linux botnet, termed SSHStalker, is exploiting vulnerabilities and methods from as far back as 2009. This development comes from insights provided by cybersecurity firm Flare.
Legacy Techniques and Tools
SSHStalker employs a blend of outdated tools, including an Internet Relay Chat (IRC) bot and multiple Linux kernel exploits from 2009. Flare reports that the botnet is rather overt in its operations, running a cron job every minute for persistence and employing a ‘watchdog’ model to relaunch processes. Additionally, it deploys a variety of scanners and malware on compromised systems.
Link to Previous Botnets
Artifacts of SSHStalker bear similarities to known Romanian-linked botnet activities such as Outlaw and Dota. However, no direct connections to these older Linux campaigns were identified. This suggests the possibility of a derivative operator, a mimic, or an actor linked to the Outlaw group behind this botnet.
Infection Strategy and Impact
The botnet’s infection process involves deploying several C-based IRC bot variants, a Perl IRC bot, and malware such as Tsunami and Keiten. This strategy appears to be more opportunistic than targeted. SSHStalker has likely compromised about 7,000 systems, focusing on outdated Linux versions, which account for approximately 1–3% of internet-accessible Linux servers. Flare notes the potential impact could rise to 5–10% in environments like legacy hosting services and obsolete virtual private server images.
Operational Maturity and Infrastructure
SSHStalker uses open-source exploits commonly utilized by low-to-moderate threat actors, though its curated kernel exploits indicate a certain level of operational competence. Flare’s investigation revealed nearly two dozen binaries and files deployed by the botnet. After an SSH scanner is used, two IRC-controlled bot variants are deployed initially, followed by a Perl bot for command-and-control operations, persistence scripts, privilege escalation, and log cleaning.
Flare also uncovered the botnet’s IRC server, but no active communication was detected, suggesting it may be dormant or in preparation. The server and room structure were hosted on what appeared to be a legitimate public IRC network, indicating a well-maintained environment.
