Home / Technology / IRC Botnet SSHStalker Mines Crypto, Uses Old Linux Exploits
IRC Botnet SSHStalker Mines Crypto, Uses Old Linux Exploits
15 Feb
Summary
- SSHStalker botnet uses IRC for command and control.
- Malware compiles payloads on infected systems for compatibility.
- Botnet harvests AWS keys, mines Ethereum, and uses old kernel exploits.
SSHStalker, a recently identified Linux botnet, is operating via the classic Internet Relay Chat (IRC) protocol. This botnet employs multiple bots and servers, utilizing redundant channels to maintain control over infected devices while minimizing operational costs.
Initial access is gained through automated SSH scanning and brute-force attacks. The malware, disguised as an `nmap` tool, infiltrates servers and then downloads the GCC compiler to build payloads directly on the compromised system. This ensures compatibility across various Linux distributions for its C-based IRC bots.
Once a host is infected, it becomes part of a worm-like propagation mechanism, scanning other servers. The botnet also leverages exploits for 16 old Linux kernel CVEs, dating from 2009 to 2010, to escalate privileges after compromising low-privileged user accounts.
SSHStalker incorporates monetization features including harvesting AWS keys, website scanning, and cryptomining Ethereum using PhoenixMiner. While DDoS capabilities exist, no attacks have been observed, suggesting the botnet is in a testing phase or hoarding access.
