Cybersecurity researchers have disclosed particulars of a brand new botnet operation referred to as SSHStalker that depends on the Web Relay Chat (IRC) communication protocol for command-and-control (C2) functions.
“The toolset blends stealth helpers with legacy-era Linux exploitation: Alongside log cleaners (utmp/wtmp/lastlog tampering) and rootkit-class artifacts, the actor retains a big back-catalog of Linux 2.6.x-era exploits (2009–2010 CVEs),” cybersecurity firm Flare stated. “These are low worth towards fashionable stacks, however stay efficient towards ‘forgotten’ infrastructure and long-tail legacy environments.”
SSHStalker combines IRC botnet mechanics with an automatic mass-compromise operation that makes use of an SSH scanner and different available scanners to co-opt prone methods right into a community and enroll them in IRC channels.
Nonetheless, in contrast to different campaigns that sometimes leverage such botnets for opportunistic efforts like distributed denial-of-service (DDoS) assaults, proxyjacking, or cryptocurrency mining, SSHStalker has been discovered to keep up persistent entry with none follow-on post-exploitation conduct.
This dormant conduct units it aside, elevating the likelihood that the compromised infrastructure is getting used for staging, testing, or strategic entry retention for future use.
A core part of SSHStalker is a Golang scanner that scans for port 22 for servers with open SSH with a purpose to lengthen its attain in a worm-like style. Additionally dropped are a number of payloads, together with variants of an IRC-controlled bot and a Perl file bot that connects to an UnrealIRCd IRC Server, joins a management channel, and waits for instructions that enable it to hold out flood-style visitors assaults and commandeer the bots.
The assaults are additionally characterised by the execution of C program information to wash SSH connection logs and erase traces of malicious exercise from logs to cut back forensic visibility. Moreover, the malware toolkit incorporates a “keep-alive” part that ensures the primary malware course of is relaunched inside 60 seconds within the occasion it is terminated by a security software.
SSHStalker is notable for mixing mass compromise automation with a catalog of 16 distinct vulnerabilities impacting the Linux kernel, some going all the way in which again to 2009. A few of the flaws used within the exploit module are CVE-2009-2692, CVE-2009-2698, CVE-2010-3849, CVE-2010-1173, CVE-2009-2267, CVE-2009-2908, CVE-2009-3547, CVE-2010-2959, and CVE-2010-3437.
Flare’s investigation of the staging infrastructure related to the risk actor has uncovered an in depth repository of open-source offensive tooling and beforehand revealed malware samples. These embody –
- Rootkits to facilitate stealth and persistence
- Cryptocurrency miners
- A Python script that executes a binary referred to as “web site grabber” to steal uncovered Amazon Internet Companies (AWS) secrets and techniques from focused web sites
- EnergyMech, an IRC bot that gives C2 and distant command execution capabilities
It is suspected that the risk actor behind the exercise might be of Romanian origin, given the presence of “Romanian-style nicknames, slang patterns, and naming conventions inside IRC channels and configuration wordlists.” What’s extra, the operational fingerprint reveals robust overlaps with that of a hacking group often called Outlaw (aka Dota).
“SSHStalker doesn’t seem to concentrate on novel exploit improvement however as an alternative demonstrates operational management by means of mature implementation and orchestration, by primarily utilizing C for core bot and low-level parts, shell for orchestration and persistence, and restricted Python and Perl utilization primarily for utility or supporting automation duties contained in the assault chain and working the IRCbot,” Flare stated.
“The risk actor shouldn’t be growing zero-days or novel rootkits, however demonstrating robust operational self-discipline in mass compromise workflows, infrastructure recycling, and long-tail persistence throughout heterogeneous Linux environments.”
