SSHStalker: A Blast from the Past Reshapes the Linux Botnet Landscape
A newly discovered Linux botnet, dubbed SSHStalker, is making waves in the cybersecurity world – not for its cutting-edge techniques, but for its reliance on remarkably outdated technology. Researchers at Flare have documented the botnet’s operations, revealing a preference for IRC (Internet Relay Chat) for command-and-control (C2) communications, a protocol that peaked in popularity in the 1990s.
Old Tech, New Threat: Why IRC?
IRC, invented in 1988, offers simplicity, interoperability, and low bandwidth requirements. Whereas modern C2 frameworks prioritize stealth, SSHStalker prioritizes resilience, scale, and cost-effectiveness. This approach extends to other aspects of its operation, including the use of noisy SSH scans, frequent cron jobs, and exploitation of vulnerabilities dating back 15 years.
“What we actually found was a loud, stitched-together botnet kit that mixes old-school IRC control, compiling binaries on hosts, mass SSH compromise, and cron-based persistence. In other words scale-first operation that favors reliability over stealth,” Flare stated in their analysis.
How SSHStalker Spreads and Operates
SSHStalker gains initial access through automated SSH scanning and brute-forcing attacks. It employs a Go binary disguised as the network discovery tool nmap. Once inside a system, it scans for further SSH targets, exhibiting worm-like propagation. Currently, over 7,000 systems have been compromised, with a significant concentration of victims being cloud hosting providers, particularly those using Oracle Cloud Infrastructure.
Once a host is infected, SSHStalker downloads the GCC toolchain to compile payloads directly on the victim machine, enhancing portability and evasion. The initial payloads are C-based IRC bots, hardcoded with C2 server and channel information, integrating the new victim into the botnet’s infrastructure. Further components, named GS and bootbou, are then downloaded for orchestration and execution.
Persistence and Privilege Escalation
SSHStalker maintains persistence through cron jobs that execute every 60 seconds, acting as a watchdog to ensure the main bot process remains active. The botnet too leverages 16 known vulnerabilities (CVEs) from the 2009-2010 timeframe to escalate privileges after initial access is gained.
Monetization and Potential Activities
Flare’s research indicates that SSHStalker is involved in AWS key harvesting and website scanning. It also includes cryptomining kits, specifically PhoenixMiner, an Ethereum miner. While DDoS capabilities are present, researchers haven’t observed any active attacks, suggesting the botnet may be in a testing or access-hoarding phase.
Attribution and Mitigation
Currently, SSHStalker’s origins remain unconfirmed. However, Flare notes similarities to the Outlaw/Maxlas botnet ecosystem and indicators linked to Romania.
To mitigate the risk of SSHStalker infections, Flare recommends:
- Monitoring for compiler installation and execution on production servers.
- Alerting on IRC-style outbound connections.
- Identifying cron jobs with short execution cycles originating from unusual paths.
- Disabling SSH password authentication.
- Removing compilers from production images.
- Implementing egress filtering.
- Restricting execution from ‘/dev/shm.’
The Future of “Retro” Botnets
SSHStalker’s success raises questions about the future of botnet development. Will we see a resurgence of older techniques as attackers seek to evade detection by focusing on less-monitored methods? The reliance on IRC and older CVEs suggests a shift away from sophisticated, stealth-focused malware towards simpler, more scalable solutions.
This trend could be driven by several factors, including the increasing complexity of modern security defenses and the availability of readily exploitable legacy systems. Attackers may find that “old school” methods are surprisingly effective against organizations that haven’t adequately addressed basic security hygiene.
Pro Tip:
Regularly patching systems and disabling unnecessary services are crucial steps in preventing SSHStalker and similar threats. Focus on the fundamentals of cybersecurity – strong passwords, multi-factor authentication, and proactive vulnerability management.
FAQ
What is SSHStalker? SSHStalker is a Linux botnet that uses the IRC protocol for command and control.
How does SSHStalker spread? It spreads through automated SSH scanning and brute-forcing attacks.
What is IRC? IRC (Internet Relay Chat) is an older text-based communication protocol.
How can I protect myself from SSHStalker? Disable SSH password authentication, remove compilers from production systems, and monitor for suspicious activity.
