- SSHStalker uses IRC channels and multiple bots to monitor infected Linux hosts
- Automated SSH brute force rapidly spreads botnet across cloud server infrastructures
- Compilers are downloaded locally to create payloads for reliable execution across distributions.
SSHStalker, a recently discovered Linux botnet, apparently relies on the classic IRC (Internet Relay Chat) protocol to manage its operations.
Created in 1988, IRC was once the dominant instant messaging system for technical communities due to its simplicity, low bandwidth needs, and cross-platform compatibility.
Unlike modern command and control frameworks, SSHStalker uses multiple bots, redundant channels, and servers to maintain control over infected devices while keeping operating costs low.
Botnet structure and command infrastructure
The SSHStalker malware gains initial access through automated SSH scanning and brute force attacks, and then uses a Go-based binary disguised as the open source networking tool nmap to infiltrate servers.
Researchers at security company Flare documented nearly 7,000 bot scan results in a single month, primarily targeting cloud infrastructure, including Oracle Cloud environments.
Once a host is compromised, it becomes part of the botnet’s propagation mechanism, scanning other servers in a worm-like pattern.
After infection, SSHStalker downloads the GCC compiler to create payloads directly on the compromised system, ensuring that its C-based IRC bots can run reliably on different Linux distributions.
These bots contain servers and encrypted channels that enroll the host in the IRC-controlled botnet.
Additional payloads called GS and bootbou provide execution orchestration and sequencing, effectively creating a scalable network of infected machines under centralized IRC control.
Persistence on each host is maintained through cron jobs configured to run every minute, which monitor the main bot process and restart it if it terminates, creating a constant feedback loop.
The botnet also leverages exploits for 16 old Linux kernel CVEs dating from 2009 to 2010, using them to escalate privileges once a low-privileged user account is compromised.
Beyond basic control, SSHStalker has built-in monetization mechanisms, as the malware collects AWS keys, performs website scans, and includes crypto mining capabilities through PhoenixMiner for Ethereum mining.
Although DDoS capabilities exist, Flare has not observed any attacks, suggesting that the botnet is in testing or hogging access.
Defensive strategies against SSHStalker emphasize monitoring compiler installations, unusual cron activity, and IRC-style outgoing connections.
Administrators are recommended to disable SSH password authentication, remove compilers from production environments, and enforce strict output filtering.
Maintaining strong antivirus solutions and using good firewall protocols can reduce exposure to this and other legacy-style threats.
Through beepcomputer
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
