A technical analysis by Flare reported that a newly documented Linux botnet named SSHStalker uses the IRC protocol for command and control and that researchers collected results from nearly 7,000 bot scans in January.
KEY FACTS
- Target cloud hosts, with many scans focused on Oracle Cloud
- Propagation automated SSH scanning and brute forcing
- C2 IRC based C bots with hard coded servers and channels
- Persistence cron jobs running every 60 seconds
- Exploits includes 16 CVE exploits for older Linux kernels
SSHStalker gains initial access through automated SSH scans and credential brute force. The malware uses a Go binary that masquerades as the network utility nmap. Compromised hosts are used to scan for additional SSH targets, producing a worm like propagation pattern.
After compromise, the botnet fetches a compiler to build C based payloads on infected hosts. Initial payloads are IRC bots with hard coded command and control servers and channels. Additional archives named GS and bootbou provide bot variants for orchestration and sequencing.
Persistence is implemented via cron jobs that run every 60 seconds and relaunch the main bot process if it is not running. The code base includes exploits for 16 CVEs affecting Linux kernels from around 2009 and 2010, used to escalate privileges after initial low privileged access.
Monetization and post compromise activity include AWS key harvesting and website scanning. The toolkit also contains cryptomining components such as the PhoenixMiner miner and DDoS capabilities that have not yet been observed in active attacks. Attribution has not been confirmed, though similarities to the Outlaw/Maxlas ecosystem and Romanian indicators were noted.
WHY IT MATTERS
The use of IRC for resilient, scale oriented command and control and automated SSH compromise increases the risk of large scale infection of cloud hosted Linux systems. Operators should apply recommended mitigations to reduce credential theft and unwanted resource use.