Full Report
Cybersecurity researchers have disclosed details of a new botnet operation called SSHStalker that relies on the Internet Relay Chat (IRC) communication protocol for command-and-control (C2) purposes. "The toolset blends stealth helpers with legacy-era Linux exploitation: Alongside log cleaners (utmp/wtmp/lastlog tampering) and rootkit-class artifacts, the actor keeps a large back-catalog of
Analysis Summary
# Tool/Technique: SSHStalker Botnet
## Overview
SSHStalker is a newly disclosed Linux botnet operation characterized by its unique use of the Internet Relay Chat (IRC) protocol for Command-and-Control (C2). The operation focuses on mass compromise using legacy Linux kernel exploits (dating back to the 2.6.x era) and deploys a toolset focused on persistence and stealth, rather than immediate malicious action like DDoS or cryptomining once infected, suggesting a staging or strategic access retention purpose.
## Technical Details
- Type: Malware / Botnet Framework
- Platform: Linux (targeting legacy systems using Linux 2.6.x era kernels)
- Capabilities: SSH scanning for worm-like propagation, IRC-based C2, log cleaning, rootkit-class artifact deployment, persistent access maintenance.
- First Seen: Undisclosed (Recent disclosure, likely active prior to disclosure)
## MITRE ATT&CK Mapping
- TA0008 - Lateral Movement
- T1021 - Remote Services
- T1021.004 - SSH
- TA0009 - Collection (Potential, based on associated tooling)
- T1119 - Automated Collection (Related to the AWS secret grabber)
- TA0003 - Persistence
- T1543.003 - Windows Service (Applicable concept for maintaining processes, though Linux focused)
- TA0005 - Defense Evasion
- T1070 - Indicator Removal
- T1070.004 - File Deletion (Log cleaning)
- T1027 - Obfuscated Files or Information (Rootkit-class artifacts)
## Functionality
### Core Capabilities
- **IRC C2:** Utilizes IRC channels, connecting to an UnrealIRCd IRC Server for command reception and control.
- **Mass Compromise/Propagation:** Employs a Golang scanner targeting TCP port 22 (SSH) to spread in a worm-like fashion.
- **Legacy Exploitation:** Leverages a catalog of approximately 16 distinct vulnerabilities affecting Linux kernels, including several CVEs from 2009–2010 (e.g., CVE-2009-2692, CVE-2010-3849).
- **Basic Bot Payload:** Drops payloads, including variants of an IRC-controlled bot and a legacy Perl file bot, capable of executing flood-style traffic attacks if commanded.
### Advanced Features
- **Stealth and Persistence:** Integrates log cleaning mechanisms targeting `utmp`, `wtmp`, and `lastlog` files to erase forensic evidence of connection activity.
- **Rootkit Artifacts:** Deploys rootkit-class artifacts to maintain stealth.
- **Process Relaunch:** Features a "keep-alive" mechanism ensuring the main malware process is relaunched within 60 seconds if terminated.
- **Dormancy:** Notably maintains persistent access without immediate post-exploitation (DDoS, mining), suggesting use for staging or strategic access retention.
## Indicators of Compromise
*Note: Specific hashes, file names, and definitive C2 indicators were not present in the context, but the following structure reflects expected indicators based on the description.*
- File Hashes: [N/A based on context]
- File Names: C program files (for log cleaning), Golang scanner binary, Perl bot file.
- Registry Keys: [N/A - Linux context]
- Network Indicators: Connections to IRC servers/channels (UnrealIRCd based).
- Behavioral Indicators: Tampering with system logs (`utmp`, `wtmp`, `lastlog`); rapid process relaunch after termination; connection attempts to port 22 via a Golang-based scanner.
## Associated Threat Actors
- Suspected Romanian origin (based on nicknames, slang, and naming conventions found in IRC channels/wordlists).
- Strong operational overlaps suggested with the hacking group **Outlaw** (aka Dota).
## Detection Methods
- Signature-based detection: Signatures for known exploits used (e.g., CVE-2009-2692 exploits).
- Behavioral detection: Monitoring for tampering with standard authentication/login logging files (`utmp`, `wtmp`, `lastlog`). Detection of frequent, automated SSH scanning from compromised hosts. Monitoring for processes rapidly respawning after system termination.
- YARA rules: Potential YARA rules targeting the structure or strings within the C programs or Perl bots.
## Mitigation Strategies
- **Patching/Upgrading:** Immediately update and patch legacy Linux systems, especially those running kernel versions susceptible to 2009-2010 era vulnerabilities.
- **Disable/Restrict SSH:** Implement strict firewall rules limiting external SSH access (Port 22). Use key-based authentication instead of passwords.
- **Security Tooling:** Ensure endpoint detection and response (EDR) or anti-rootkit tooling is running to detect process tampering and log manipulation.
- **Monitoring:** Monitor network traffic for connections to non-standard IRC servers or connections originating from compromised hosts to unknown IRC channels.
## Related Tools/Techniques
- **EnergyMech:** An IRC bot found within the actor's staging infrastructure, providing C2 capabilities.
- **Associated Tooling:** Cryptocurrency miners, and a Python script for reconnaissance (stealing AWS secrets using a "website grabber").
- **General Botnet Tools:** Standard IRC botnets, SSH brute-forcers (used for initial access).