Continue reading A new threat, SSHStalkerbotnet operation, proven to grow with intensity and rapid CIS threat landscape. Unearthed by cybersecurity firm Flare, SSHStalker uses the Internet Relay Chat (IRC) protocol to carry out its command-and-control (C2) operations. This new botnet brings together classic IRC mechanics with a mass-compromise strategy, targeting Linux systems using a variety of vulnerabilities.
SHHStalker uses an SSH scanner in addition to various other publicly available scanning tools to penetrate vulnerable systems and it’s alarming. Once compromised, these systems are automatically enrolled in specialized IRC channels, putting the botnet to work. Contrary to most modern botnets, SSHStalker keeps a dormant profile as a differentiating feature from other siblings. This particular characteristic allows it to hide out inside damaged infrastructures for possible re-use down the line, without being actively used right away.
Operational Mechanics of SSHStalker
The operational design of SSHStalker shows an interesting philosophy towards persistence and control. The botnet includes a “keep-alive” feature, so that if the main malware process is killed, it is automatically restarted within 60 seconds. This feature further deepens its resistance to efforts to detect and remove it.
Flare explains that “the threat actor is not developing zero-days or novel rootkits, but demonstrating strong operational discipline in mass compromise workflows, infrastructure recycling, and long-tail persistence across heterogeneous Linux environments.” This is telling of the botnet’s common reliance on more traditional, known methods over flashy new exploits.
SSHStalker’s malware toolkit includes a Golang scanner which targets servers with open SSH (port 22). Like a worm, this scanner allows for the botnet to spread its reach exponentially. SSHStalker mostly targets legacy systems. As far as its approach goes, there are plenty of tech stacks its approach wouldn’t hold up against, but that’s not the case for legacy infrastructure.
Distinct Characteristics and Strategic Use
SSHStalker is different because it doesn’t have to play the opportunistic game. … it’s not doing DDoS attacks for people or secretly mining cryptocurrency. Rather, it allows for continued access to exploited systems without going through subsequent post-exploitation steps. This trait sounds alarm bells and indicates a strategic intent to leverage the attacked network for future operations, including staging and testing.
Flare notes, “SSHStalker does not appear to focus on novel exploit development but instead demonstrates operational control through mature implementation and orchestration.” The botnet uses C as its main programming language. It uses a lot of shell scripting for orchestration and persistence, with just a little help from python and perl on auxiliary tasks.
The responsibility infrastructure connected to SSHStalker features a huge stockpile of open-source unpleasant tools. It features a comprehensive assortment of republish malware samples. This allows the threat actor to utilize a huge, diverse range of resources without much creativity required in exploit techniques.
Threat Actor Profile and Implications
We believe the threat actor behind SSHStalker is likely based in Romania. This geographic tie-in can help us understand invaluable nuggets of information that unlock their real-world performance. As noted by Flare, “the toolset blends stealth helpers with legacy-era Linux exploitation.” The actor has a huge library of exploits from as far back as the Linux 2.6.x days. This catalog covers vulnerabilities discovered from 2009 to 2010, as well as log cleaners and rootkit-class artifacts.