Cybersecurity researchers have revealed details of a new botnet operation called SSHStalker that relies on the Internet Relay Chat (IRC) communication protocol for command and control (C2) purposes.
“This toolset blends stealth helpers with legacy-era Linux exploits. Alongside log cleaners (utmp/wtmp/lastlog tampering) and rootkit-class artifacts, attackers maintain a large back catalog of Linux 2.6.x-era exploits (CVEs from 2009-2010),” said cybersecurity firm Flare. “While these have less value against modern stacks, they are still effective against ‘forgotten’ infrastructure and long-tail legacy environments. ”
SSHStalker combines the mechanics of an IRC botnet with an automated mass compromise operation that uses SSH scanners and other readily available scanners to bring susceptible systems into the network and register them on IRC channels.
However, unlike other campaigns that typically utilize such botnets for opportunities such as distributed denial of service (DDoS) attacks, proxyjacking, and cryptocurrency mining, SSHStalker has been found to maintain persistent access without any post-exploitation behavior.
This dormant behavior increases the likelihood that the compromised infrastructure is being used for staging, testing, or strategically retaining access for future use.
The core component of SSHStalker is a Golang scanner that scans port 22 of servers with open SSH in order to extend its reach in a worm-like manner. Several payloads have also been dropped, including a variant of the IRC control bot and a Perl file bot that connects to the UnrealIRCd IRC server, joins the control channel, and waits for commands that allow it to perform a flood-style traffic attack and take over the bot.
This attack also features execution of a C program file to clear SSH connection logs, cleaning the logs of any trace of malicious activity and reducing forensic visibility. In addition, the malware toolkit includes a “keepalive” component that ensures that the main malware process is restarted within 60 seconds if it is terminated by a security tool.
SSHStalker is known for combining mass breach automation with a catalog of 16 different vulnerabilities affecting the Linux kernel, some dating back to 2009. Some of the flaws used in the exploit module include CVE-2009-2692, CVE-2009-2698, CVE-2010-3849, CVE-2010-1173, CVE-2009-2267, CVE-2009-2908, CVE-2009-3547, CVE-2010-2959, and CVE-2010-3437.
Flare’s investigation into the staging infrastructure associated with threat actors revealed an extensive repository of open source attack tools and previously published malware samples. These include –
Rootkits that promote stealth and persistence Cryptocurrency miners Python scripts that run binaries called “website grabbers” to steal exposed Amazon Web Services (AWS) secrets from targeted websites IRC bots that provide C2 and remote command execution capabilities EnergyMech
It is suspected that the attackers behind this activity may be of Romanian origin, due to the presence of “Romanian-style nicknames, slang patterns, and naming conventions within IRC channels and configured word lists.” Additionally, its operational fingerprint shows strong overlap with that of the hacking group known as Outlaw (also known as Dota).
“SSHStalker does not appear to be focused on developing new exploits, but instead demonstrates a mature implementation and operational control through orchestration, using primarily C for core bots and low-level components, Shell for orchestration and persistence, and limited Python and Perl primarily to support utilities or automated tasks within the attack chain and to run IRCbot,” Flair said.
“The attackers are not developing zero-days or new rootkits, but are demonstrating strong operational discipline in mass compromise workflows, infrastructure recycling, and long-tail persistence across heterogeneous Linux environments.”
Source link
