""The toolset blends stealth helpers with legacy-era Linux exploitation: Alongside log cleaners (utmp/wtmp/lastlog tampering) and rootkit-class artifacts, the actor keeps a large back-catalog of Linux 2.6.x-era exploits (2009-2010 CVEs)," cybersecurity company Flare said. "These are low value against modern stacks, but remain effective against 'forgotten' infrastructure and long-tail legacy environments." SSHStalker combines IRC botnet mechanics with an automated mass-compromise operation that uses an SSH scanner and other readily available scanners to co-opt susceptible systems into a network and enroll them in IRC channels."
"Also dropped are several payloads, including variants of an IRC-controlled bot and a Perl file bot that connects to an UnrealIRCd IRC Server, joins a control channel, and waits for commands that allow it to carry out flood-style traffic attacks and commandeer the bots. The attacks are also characterized by the execution of C program files to clean SSH connection logs and erase traces of malicious activity from logs to reduce forensic visibility."
SSHStalker is an IRC-based botnet and mass-compromise operation that uses a Golang SSH scanner and other scanners to propagate in a worm-like fashion. The toolkit deploys IRC-controlled bots, a Perl bot for UnrealIRCd, and payloads capable of flood-style attacks, while emphasizing persistence rather than immediate monetization. The operation includes log cleaners (utmp/wtmp/lastlog tampering), rootkit-class artifacts, and C programs to erase SSH connection traces, reducing forensic visibility. The actor maintains a back-catalog of Linux 2.6-era exploits targeting legacy or forgotten infrastructure. Dormant compromise behavior suggests staging, testing, or long-term strategic access retention.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]