SSHStalker: A Stealthy Botnet with a Twist
In a recent revelation, cybersecurity experts have uncovered a unique botnet operation, SSHStalker, that employs the Internet Relay Chat (IRC) protocol for command and control. This botnet stands out from the crowd, and here's why.
SSHStalker combines the traditional IRC botnet mechanics with an automated mass compromise strategy. It uses an SSH scanner and other tools to identify and recruit vulnerable Linux systems into its network. But here's where it gets controversial: unlike typical botnets, SSHStalker doesn't stop there. It maintains persistent access without engaging in the usual post-exploitation activities like DDoS attacks or cryptocurrency mining.
This dormant behavior has raised eyebrows, suggesting that the compromised infrastructure might be a strategic staging ground for future operations. SSHStalker's core component is a Golang scanner that scans for open SSH ports on servers, allowing it to spread like a worm. It also deploys various payloads, including IRC-controlled bots and Perl file bots, which connect to an UnrealIRCd IRC Server and await commands to launch traffic attacks.
The botnet's toolkit includes a clever log cleaner, erasing traces of its activity from SSH connection logs. Additionally, a 'keep-alive' component ensures the main malware process restarts within 60 seconds if terminated. This level of sophistication is rare and intriguing.
What sets SSHStalker apart is its exploitation of a catalog of 16 distinct vulnerabilities in the Linux kernel, some dating back to 2009. This blend of mass compromise automation and legacy exploits is a unique strategy. Some of the vulnerabilities exploited include CVE-2009-2692, CVE-2009-2698, and CVE-2010-3849.
Flare's investigation revealed an extensive repository of open-source offensive tools and malware samples associated with the threat actor. These include rootkits, cryptocurrency miners, and a Python script to steal AWS secrets. The operational fingerprint of the actor aligns with a Romanian hacking group known as Outlaw.
SSHStalker's focus is on mature implementation and orchestration rather than developing new exploits. It primarily uses C for core bot components and low-level tasks, with limited Python and Perl usage for automation. This demonstrates a strong operational discipline in mass compromise and long-term persistence across diverse Linux environments.
So, what do you think? Is SSHStalker a sign of a new, more sophisticated threat actor on the scene? Or is it just a clever use of old tricks? We'd love to hear your thoughts in the comments!
