- SSHStalker uses IRC channels and several bots to control infected Linux hosts
- Automated SSH brute-forcing rapidly spreads the botnet through cloud server infrastructures
- Compilers are downloaded locally to build payloads for reliable cross-distribution execution
SSHStalker, a recently discovered Linux botnet, apparently relies on the classic IRC (Internet Relay Chat) protocol to manage its operations.
Created in 1988, IRC was once the dominant instant messaging system for technical communities due to its simplicity, low bandwidth requirements, and cross-platform compatibility.
Unlike modern command-and-control frameworks, SSHStalker uses multiple bots, redundant channels, and servers to maintain control over infected devices while keeping operating costs low.
Botnet structure and command infrastructure
SSHStalker’s malware gains initial access through automated SSH scanning and brute-force attacks, then uses a Go-based binary disguised as the open source networking tool nmap to infiltrate servers.
Researchers from security firm Flare documented nearly 7,000 bot scan results in a single month, mostly targeting cloud infrastructure, including Oracle Cloud environments.
Once a host is compromised, it becomes part of the botnet’s propagation mechanism, scanning other servers in a worm-like pattern.
After infection, SSHStalker downloads the GCC compiler to build payloads directly on the compromised system, ensuring that its C-based IRC bots can run reliably across different Linux distributions.
These bots contain hard-coded servers and channels that enroll the host in the IRC-controlled botnet.
Additional payloads called GS and bootbou provide orchestration and execution sequencing, effectively creating a scalable network of infected machines under centralized IRC control.
Persistence on each host is maintained through cron jobs set to run every minute that monitor the bot process and restart it if it terminates, creating a constant feedback loop.
The botnet also leverages exploits for 16 old Linux kernel CVEs dating back to 2009 to 2010 and uses them to escalate privileges when a low-privileged user account is compromised.
In addition to basic controls, SSHStalker has built-in monetization mechanisms as the malware harvests AWS keys, performs site scanning, and includes cryptomining capabilities via PhoenixMiner for Ethereum mining.
Although DDoS capabilities exist, Flare has not observed any attacks, suggesting the botnet is either testing or hoarding access.
Defensive strategies against SSHStalker emphasize monitoring compiler installations, unusual cron activity, and IRC-style outgoing connections.
Administrators are advised to disable SSH password authentication, remove compilers from production environments, and enforce strict egress filtering.
Maintaining strong antivirus solutions and using good firewall protocols can reduce exposure to this and other legacy threats.
Via Bleeping Computer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
