SSHStalker Botnet Uses IRC C2 to Control Linux Systems

Post Views: 4

SSHStalker Botnet Uses IRC C2 to Control Linux Systems via Legacy Kernel Exploits

Cybersecurity researchers have disclosed details of a new botnet operation called SSHStalker that relies on the Internet Relay Chat (IRC) communication protocol for command-and-control (C2) purposes. The toolset blends stealth helpers with legacy-era Linux exploitation, alongside log cleaners and rootkit-class artifacts.

Key Features of SSHStalker

SSHStalker combines IRC botnet mechanics with an automated mass-compromise operation that uses an SSH scanner and other readily available scanners to co-opt susceptible systems into a network and enroll them in IRC channels. However, unlike other campaigns that typically leverage such botnets for opportunistic efforts like distributed denial-of-service (DDoS) attacks, proxyjacking, or cryptocurrency mining, SSHStalker has been found to maintain persistent access without any follow-on post-exploitation behavior.

Attack Mechanism

A core component of SSHStalker is a Golang scanner that scans for port 22 for servers with open SSH in order to extend its reach in a worm-like fashion. Also dropped are several payloads, including variants of an IRC-controlled bot and a Perl file bot that connects to an UnrealIRCd IRC Server, joins a control channel, and waits for commands that allow it to carry out flood-style traffic attacks and commandeer the bots.

Log Cleaning and Persistence

The attacks are also characterized by the execution of C program files to clean SSH connection logs and erase traces of malicious activity from logs to reduce forensic visibility. Furthermore, the malware toolkit contains a “keep-alive” component that ensures the main malware process is relaunched within 60 seconds.

Vulnerabilities Exploited

SSHStalker is notable for blending mass compromise automation with a catalog of 16 distinct vulnerabilities impacting the Linux kernel, some going all the way back to 2009. Some of the flaws used in the exploit module are CVE-2009-2692, CVE-2009-2698, CVE-2010-3849, CVE-2010-1173, CVE-2009-2267, CVE-2009-2908, CVE-2009-3547, CVE-2010-2959, and CVE-2010-3437.

Threat Actor and Infrastructure

Flare’s investigation of the staging infrastructure associated with the threat actor has uncovered an extensive repository of open-source offensive tooling and previously published malware samples. These include rootkits to facilitate stealth and persistence, cryptocurrency miners, and a Python script that executes a binary called “website grabber” to steal exposed Amazon Web Services (AWS) secrets from targeted websites.

It’s suspected that the threat actor behind the activity could be of Romanian origin, given the presence of “Romanian-style nicknames, slang patterns, and naming conventions inside IRC channels and configuration wordlists.” What’s more, the operational fingerprint exhibits strong overlaps with that of a hacking group known as Outlaw (aka Dota).

Conclusion

SSHStalker does not appear to focus on novel exploit development but instead demonstrates operational control through mature implementation and orchestration, by primarily using C for core bot and low-level components, shell for orchestration and persistence, and limited Python and Perl usage mainly for utility or supporting automation tasks inside the attack chain and running the IRCbot,” Flare said.

“The threat actor is not developing zero-days or novel rootkits, but demonstrating strong operational discipline in mass compromise workflows, infrastructure recycling, and long-tail persistence across heterogeneous Linux environments.”