New Linux botnet SSHStalker uses old-school IRC for C2 comms

Source: Bleeping Computer

Overview

A newly documented Linux botnet named SSHStalker is using the IRC (Internet Relay Chat) communication protocol for command‑and‑control (C2) operations. IRC, invented in 1988, peaked in the 1990s as a text‑based instant messaging solution. Technical communities still value it for its simplicity, interoperability, low bandwidth requirements, and lack of a GUI.

SSHStalker relies on classic IRC mechanics—multiple C‑based bots and multi‑server/channel redundancy—favoring resilience, scale, and low cost over stealth and novelty.

“What we actually found was a loud, stitched‑together botnet kit that mixes old‑school IRC control, compiling binaries on hosts, mass SSH compromise, and cron‑based persistence. In other words, a scale‑first operation that favors reliability over stealth,” — Flare

Architecture and Propagation

• Initial Access: Automated SSH scanning and brute‑forcing using a Go binary that masquerades as the popular network discovery tool nmap.
• Worm‑like Propagation: Compromised hosts scan for additional SSH targets, expanding the botnet.
• Toolchain: After infection, the bot downloads the GCC compiler to build payloads on the victim device, improving portability and evasion.
• Payloads: First payloads are C‑based IRC bots with hard‑coded C2 servers and channels. Subsequent downloads include archives named GS and bootbou, which contain additional bot variants for orchestration and execution sequencing.
• Persistence: Cron jobs run every 60 seconds, acting as a watchdog that checks whether the main bot process is running and relaunches it if terminated.

The ‘infected machines’ IRC channel
Source: Flare

Exploitation and Privilege Escalation

The botnet contains exploits for 16 CVEs targeting Linux kernel versions from 2009‑2010. These are used to elevate privileges after the initial brute‑forcing step grants access to a low‑privileged user.

Attack Chain Overview

Attack chain overview
Source: Flare

Monetization and Capabilities

• AWS Key Harvesting & Website Scanning: Observed activities include harvesting AWS credentials and scanning websites.
• Cryptomining: Includes high‑performance Ethereum miner PhoenixMiner.
• DDoS Potential: DDoS capabilities are present, though no attacks have been observed yet. Bots currently connect to C2 and remain idle, suggesting testing or access hoarding.

Attribution and Similarities

Flare has not linked SSHStalker to a specific threat group but noted similarities with the Outlaw/Maxlas botnet ecosystem and various Romanian indicators.

Detection Recommendations

• Monitor for compiler installation and execution on production servers.
• Alert on outbound IRC‑style connections.
• Flag cron jobs with very short execution cycles (e.g., every minute) originating from unusual paths.

Mitigation Recommendations

• Disable SSH password authentication.
• Remove compilers (e.g., GCC) from production images.
• Enforce egress filtering to block unauthorized outbound traffic.
• Restrict execution from volatile directories such as /dev/shm.

Reference: Flare’s detailed analysis – Old‑school IRC, new victims: Inside the newly discovered SSHStalker Linux botnet