"A newly identified Linux botnet is relying on decade-and-a-half-old exploits and techniques, cybersecurity company Flare reports. Dubbed SSHStalker, the botnet uses multiple 2009-era tools and mechanics, including an Internet Relay Chat (IRC) bot and 19 Linux kernel exploits. According to Flare, the botnet is rather noisy, executing a cron job every minute for persistence and using a watchdog 'update' relaunch model, and deploying various scanners and malware on the infected machines."
"SSHStalker uses open source exploits that are often used by low-to-mid tier threat actors, but the use of curated kernel exploits points to 'moderate operational maturity', the cybersecurity firm says. Flare's analysis of the botnet's attack flow revealed the deployment of nearly two dozen binaries and files. Following the deployment of an SSH scanner, two nearly identical IRC-controlled bot variants are deployed during the first stage of the infection."
SSHStalker is a Linux botnet that reuses 2009-era tools and mechanics, including an IRC bot and 19 kernel exploits. The botnet enforces persistence via a cron job running every minute and a watchdog 'update' relaunch model while deploying scanners and additional malware. The infection chain deploys multiple C-based IRC bot variants, a Perl IRC bot, Tsunami and Keiten malware, and multi-server/channel redundancy. The campaign appears opportunistic rather than targeted and has likely compromised about 7,000 systems, focusing on legacy Linux installations representing a small but rising percentage of internet-accessible servers.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]