“This is rising to 5–10% in long-tail environments (legacy hosting providers, abandoned VPS images, outdated appliances, industrial/OT gear, or niche embedded deployments),” Flare notes.SSHStalker uses open source exploits that are often used by low-to-mid tier threat actors, but the use of curated kernel exploits points to “moderate operational maturity”, the cybersecurity firm says.Flare’s analysis of the botnet’s attack flow revealed the deployment of nearly two dozen binaries and files.Following the deployment of an SSH scanner, two nearly identical IRC-controlled bot variants are deployed during the first stage of the infection.At the second stage, a Perl bot is deployed for command-and-control (C&C) communication, as well as scripts for persistence, privilege escalation, and log cleaning.Finally, a compressed file is dropped, containing eight files, including the logic for persistence (by creating a cron job to execute an update script every minute). According to Flare, the scripts were designed to run an IRC-botnet builder.The cybersecurity firm’s investigation into SSHStalker also revealed signs of an EnergyMech IRC bot, which provides full C&C capabilities via IRC, the use of various slang terms to blend with typical IRC traffic, and several cryptomining kits.Flare also identified the botnet’s IRC server, but did not observe communication associated with its activity, suggesting this is dormant or staging infrastructure.“The channel behavior appeared limited to users connecting and disconnecting, with no visible operational coordination at the time of observation. Notably, the server and room structure were hosted on what appears to be a legitimate, public IRC network, and the environment itself looked authentic and maintained,” Flare notes.Related:GoBruteforcer Botnet Targeting Crypto, Blockchain ProjectsRelated:Kimwolf Android Botnet Grows Through Residential Proxy NetworksRelated:RondoDox Botnet Exploiting React2Shell VulnerabilityRelated:New ‘Broadside’ Botnet Poses Risk to Shipping Companies
SSHStalker uses open source exploits that are often used by low-to-mid tier threat actors, but the use of curated kernel exploits points to “moderate operational maturity”, the cybersecurity firm says.Flare’s analysis of the botnet’s attack flow revealed the deployment of nearly two dozen binaries and files.Following the deployment of an SSH scanner, two nearly identical IRC-controlled bot variants are deployed during the first stage of the infection.At the second stage, a Perl bot is deployed for command-and-control (C&C) communication, as well as scripts for persistence, privilege escalation, and log cleaning.Finally, a compressed file is dropped, containing eight files, including the logic for persistence (by creating a cron job to execute an update script every minute). According to Flare, the scripts were designed to run an IRC-botnet builder.The cybersecurity firm’s investigation into SSHStalker also revealed signs of an EnergyMech IRC bot, which provides full C&C capabilities via IRC, the use of various slang terms to blend with typical IRC traffic, and several cryptomining kits.Flare also identified the botnet’s IRC server, but did not observe communication associated with its activity, suggesting this is dormant or staging infrastructure.“The channel behavior appeared limited to users connecting and disconnecting, with no visible operational coordination at the time of observation. Notably, the server and room structure were hosted on what appears to be a legitimate, public IRC network, and the environment itself looked authentic and maintained,” Flare notes.Related:GoBruteforcer Botnet Targeting Crypto, Blockchain ProjectsRelated:Kimwolf Android Botnet Grows Through Residential Proxy NetworksRelated:RondoDox Botnet Exploiting React2Shell VulnerabilityRelated:New ‘Broadside’ Botnet Poses Risk to Shipping Companies
Flare’s analysis of the botnet’s attack flow revealed the deployment of nearly two dozen binaries and files.Following the deployment of an SSH scanner, two nearly identical IRC-controlled bot variants are deployed during the first stage of the infection.At the second stage, a Perl bot is deployed for command-and-control (C&C) communication, as well as scripts for persistence, privilege escalation, and log cleaning.Finally, a compressed file is dropped, containing eight files, including the logic for persistence (by creating a cron job to execute an update script every minute). According to Flare, the scripts were designed to run an IRC-botnet builder.The cybersecurity firm’s investigation into SSHStalker also revealed signs of an EnergyMech IRC bot, which provides full C&C capabilities via IRC, the use of various slang terms to blend with typical IRC traffic, and several cryptomining kits.Flare also identified the botnet’s IRC server, but did not observe communication associated with its activity, suggesting this is dormant or staging infrastructure.“The channel behavior appeared limited to users connecting and disconnecting, with no visible operational coordination at the time of observation. Notably, the server and room structure were hosted on what appears to be a legitimate, public IRC network, and the environment itself looked authentic and maintained,” Flare notes.Related:GoBruteforcer Botnet Targeting Crypto, Blockchain ProjectsRelated:Kimwolf Android Botnet Grows Through Residential Proxy NetworksRelated:RondoDox Botnet Exploiting React2Shell VulnerabilityRelated:New ‘Broadside’ Botnet Poses Risk to Shipping Companies
Following the deployment of an SSH scanner, two nearly identical IRC-controlled bot variants are deployed during the first stage of the infection.At the second stage, a Perl bot is deployed for command-and-control (C&C) communication, as well as scripts for persistence, privilege escalation, and log cleaning.Finally, a compressed file is dropped, containing eight files, including the logic for persistence (by creating a cron job to execute an update script every minute). According to Flare, the scripts were designed to run an IRC-botnet builder.The cybersecurity firm’s investigation into SSHStalker also revealed signs of an EnergyMech IRC bot, which provides full C&C capabilities via IRC, the use of various slang terms to blend with typical IRC traffic, and several cryptomining kits.Flare also identified the botnet’s IRC server, but did not observe communication associated with its activity, suggesting this is dormant or staging infrastructure.“The channel behavior appeared limited to users connecting and disconnecting, with no visible operational coordination at the time of observation. Notably, the server and room structure were hosted on what appears to be a legitimate, public IRC network, and the environment itself looked authentic and maintained,” Flare notes.Related:GoBruteforcer Botnet Targeting Crypto, Blockchain ProjectsRelated:Kimwolf Android Botnet Grows Through Residential Proxy NetworksRelated:RondoDox Botnet Exploiting React2Shell VulnerabilityRelated:New ‘Broadside’ Botnet Poses Risk to Shipping Companies
At the second stage, a Perl bot is deployed for command-and-control (C&C) communication, as well as scripts for persistence, privilege escalation, and log cleaning.Finally, a compressed file is dropped, containing eight files, including the logic for persistence (by creating a cron job to execute an update script every minute). According to Flare, the scripts were designed to run an IRC-botnet builder.The cybersecurity firm’s investigation into SSHStalker also revealed signs of an EnergyMech IRC bot, which provides full C&C capabilities via IRC, the use of various slang terms to blend with typical IRC traffic, and several cryptomining kits.Flare also identified the botnet’s IRC server, but did not observe communication associated with its activity, suggesting this is dormant or staging infrastructure.“The channel behavior appeared limited to users connecting and disconnecting, with no visible operational coordination at the time of observation. Notably, the server and room structure were hosted on what appears to be a legitimate, public IRC network, and the environment itself looked authentic and maintained,” Flare notes.Related:GoBruteforcer Botnet Targeting Crypto, Blockchain ProjectsRelated:Kimwolf Android Botnet Grows Through Residential Proxy NetworksRelated:RondoDox Botnet Exploiting React2Shell VulnerabilityRelated:New ‘Broadside’ Botnet Poses Risk to Shipping Companies
Finally, a compressed file is dropped, containing eight files, including the logic for persistence (by creating a cron job to execute an update script every minute). According to Flare, the scripts were designed to run an IRC-botnet builder.The cybersecurity firm’s investigation into SSHStalker also revealed signs of an EnergyMech IRC bot, which provides full C&C capabilities via IRC, the use of various slang terms to blend with typical IRC traffic, and several cryptomining kits.Flare also identified the botnet’s IRC server, but did not observe communication associated with its activity, suggesting this is dormant or staging infrastructure.“The channel behavior appeared limited to users connecting and disconnecting, with no visible operational coordination at the time of observation. Notably, the server and room structure were hosted on what appears to be a legitimate, public IRC network, and the environment itself looked authentic and maintained,” Flare notes.Related:GoBruteforcer Botnet Targeting Crypto, Blockchain ProjectsRelated:Kimwolf Android Botnet Grows Through Residential Proxy NetworksRelated:RondoDox Botnet Exploiting React2Shell VulnerabilityRelated:New ‘Broadside’ Botnet Poses Risk to Shipping Companies
The cybersecurity firm’s investigation into SSHStalker also revealed signs of an EnergyMech IRC bot, which provides full C&C capabilities via IRC, the use of various slang terms to blend with typical IRC traffic, and several cryptomining kits.Flare also identified the botnet’s IRC server, but did not observe communication associated with its activity, suggesting this is dormant or staging infrastructure.“The channel behavior appeared limited to users connecting and disconnecting, with no visible operational coordination at the time of observation. Notably, the server and room structure were hosted on what appears to be a legitimate, public IRC network, and the environment itself looked authentic and maintained,” Flare notes.Related:GoBruteforcer Botnet Targeting Crypto, Blockchain ProjectsRelated:Kimwolf Android Botnet Grows Through Residential Proxy NetworksRelated:RondoDox Botnet Exploiting React2Shell VulnerabilityRelated:New ‘Broadside’ Botnet Poses Risk to Shipping Companies
Flare also identified the botnet’s IRC server, but did not observe communication associated with its activity, suggesting this is dormant or staging infrastructure.“The channel behavior appeared limited to users connecting and disconnecting, with no visible operational coordination at the time of observation. Notably, the server and room structure were hosted on what appears to be a legitimate, public IRC network, and the environment itself looked authentic and maintained,” Flare notes.Related:GoBruteforcer Botnet Targeting Crypto, Blockchain ProjectsRelated:Kimwolf Android Botnet Grows Through Residential Proxy NetworksRelated:RondoDox Botnet Exploiting React2Shell VulnerabilityRelated:New ‘Broadside’ Botnet Poses Risk to Shipping Companies
“The channel behavior appeared limited to users connecting and disconnecting, with no visible operational coordination at the time of observation. Notably, the server and room structure were hosted on what appears to be a legitimate, public IRC network, and the environment itself looked authentic and maintained,” Flare notes.Related:GoBruteforcer Botnet Targeting Crypto, Blockchain ProjectsRelated:Kimwolf Android Botnet Grows Through Residential Proxy NetworksRelated:RondoDox Botnet Exploiting React2Shell VulnerabilityRelated:New ‘Broadside’ Botnet Poses Risk to Shipping Companies
Related:GoBruteforcer Botnet Targeting Crypto, Blockchain ProjectsRelated:Kimwolf Android Botnet Grows Through Residential Proxy NetworksRelated:RondoDox Botnet Exploiting React2Shell VulnerabilityRelated:New ‘Broadside’ Botnet Poses Risk to Shipping Companies
Source: SecurityWeek
