Cybersecurity researchers have disclosed details of a new botnet operation called SSHStalker that relies on the Internet Relay Chat (IRC) communication protocol for command-and-control (C2) purposes.
“The toolset blends stealth helpers with legacy-era Linux exploitation: Alongside log cleaners (utmp/wtmp/lastlog tampering) and rootkit-class artifacts, the actor keeps a large back-catalog of Linux 2.6.x-era exploits (2009–2010 CVEs),” cybersecurity company Flare said. “These are low value against modern stacks, but remain effective against ‘forgotten’ infrastructure and long-tail legacy environments.”
IRC Botnet Mechanics and Mass Compromise
SSHStalker combines IRC botnet mechanics with an automated mass-compromise operation that uses an SSH scanner and other readily available scanners to co-opt susceptible systems into a network and enroll them in IRC channels.
However, unlike other campaigns that typically leverage such botnets for opportunistic efforts like distributed denial-of-service (DDoS) attacks, proxyjacking, or cryptocurrency mining, operators behind SSHStalker maintain persistent access without engaging in any follow-on post-exploitation behavior.
Consequently, this dormant behavior sets it apart and raises the possibility that the compromised infrastructure serves staging, testing, or strategic access retention for future use.
Worm-Like Propagation and Payload Deployment
A core component of SSHStalker is a Golang scanner that scans for port 22 for servers with open SSH in order to extend its reach in a worm-like fashion. Additionally, the operators drop several payloads, including variants of an IRC-controlled bot and a Perl file bot that connects to an UnrealIRCd IRC Server, joins a control channel, and waits for commands that allow it to carry out flood-style traffic attacks and commandeer the bots.
At the same time, the attackers execute C program files to clean SSH connection logs and erase traces of malicious activity from logs to reduce forensic visibility. Furthermore, the malware toolkit contains a “keep-alive” component that ensures the main malware process relaunches within 60 seconds if a security tool terminates it.
Notably, SSHStalker blends mass compromise automation with a catalog of 16 distinct vulnerabilities impacting the Linux kernel, some going all the way back to 2009. The exploit module uses flaws such as CVE-2009-2692, CVE-2009-2698, CVE-2010-3849, CVE-2010-1173, CVE-2009-2267, CVE-2009-2908, CVE-2009-3547, CVE-2010-2959, and CVE-2010-3437.
Staging Infrastructure and Tooling Arsenal
Flare’s investigation of the staging infrastructure associated with the threat actor uncovered an extensive repository of open-source offensive tooling and previously published malware samples. These include –
- Rootkits to facilitate stealth and persistence
- Cryptocurrency miners
- A Python script that executes a binary called “website grabber” to steal exposed Amazon Web Services (AWS) secrets from targeted websites
- EnergyMech, an IRC bot that provides C2 and remote command execution capabilities
Attribution Clues and Operational Discipline
Researchers suspect that the threat actor behind the activity could be of Romanian origin, given the presence of “Romanian-style Nicknames, slang patterns, and naming conventions inside IRC channels and Configuration Wordlists.” Moreover, the Operational Fingerprint exhibits strong Overlaps with that of a hacking group known as Outlaw (aka Dota).
“SSHStalker does not appear to focus on novel exploit development but instead demonstrates operational control through mature implementation and orchestration, by primarily using C for core bot and low-level components, shell for orchestration and persistence, and limited Python and Perl usage mainly for utility or supporting automation tasks inside the attack chain and running the IRCbot,” Flare said.
“The threat actor is not developing zero-days or novel rootkits, but demonstrating strong operational discipline in mass compromise workflows, infrastructure recycling, and long-tail persistence across heterogeneous Linux environments.”
Source: TheHackerNews
Read more at Impreza News
