Criminals Use IRC to Hack 7,000 Linux Servers

A new botnet called SSHStalker has compromised nearly 7,000 Linux servers around the world. A botnet is a network of infected computers that are remotely controlled by criminals. The operation was discovered by the security firm Flare during monitoring for weak passwords to lure in attackers.

After two months of investigation, the team identified a new and unprecedented attack pattern. What stands out is the fusion of old techniques with modern automation, resulting in an infrastructure resistant to deactivation.

The Use of IRC as a Control System

SSHStalker utilizes IRC (Internet Relay Chat) as its control system, a communication protocol popular in the 90s. Although considered outdated, IRC is cheap and has multiple backup points, making it appealing for criminals.

The operation adapted EnergyMech, a framework originally designed to manage IRC channels, to coordinate the infected machines. Activities are carried out in chat rooms that appear to be normal.

To avoid detection, the bots utilize false identities, blending in with real users through various nicknames, including Romanian slang and cultural references.

How the Attack Works

The attack begins with scans looking for vulnerable SSH servers. The attackers use a fake scanner called "nmap," developed in Golang, which spreads automatically by infecting computers and searching for new targets.

Upon finding a server with port 22 open, a brute force attack begins using common passwords such as "admin/admin" or "root/123456." Once compromised, instead of installing a ready-made virus, the attackers install GCC, a compiler that transforms source code into executables, creating unique variations of malware.

The malware installs with two nearly identical bots connected to different servers, ensuring that if one fails, the other continues to operate.

In the second stage, a malicious package called "GS" is downloaded, containing components that adjust the installation for different Linux distributions, along with scripts that erase access logs.

Persistence of the Malware

One of SSHStalker's most sophisticated tactics is its ability to persist on the system. The malware creates a task in cron, the Linux task scheduler, which checks every minute whether the malware is active, quickly reactivating it if it is removed.

To increase the difficulty of removal, the malware operates in RAM, using a temporary system. The files disappear after a reboot, but the reactivation task immediately recreates them.

Exploitation of Old Vulnerabilities

Researchers found on the attackers' server an arsenal of 81 exploits covering 16 CVE (Common Vulnerabilities and Exposures). Surprisingly, many target old versions of the Linux kernel from the series 2.6.x, common between 2009 and 2010.

While modern systems are protected, it is estimated that between 1% and 3% of servers on the internet are still vulnerable, numbers that rise to 5% to 10% in legacy environments.

Impacts on Cryptocurrency Mining and Data Theft

The botnet's operations have included installing programs for cryptocurrency mining, using the processing power of the affected machines, as well as tools for stealing credentials from Amazon Web Services.

Dedicated tools scour misconfigured sites for exposed access keys, allowing criminals to take full control over cloud infrastructure.

Possible Origin of the Attackers

Analyses indicate a possible Romanian origin for the malicious code. Although the repository contains scripts in various languages, the artifacts in Romanian suggest an authentic origin.

Studies of naming conventions and slang reinforce the hypothesis. SSHStalker bears similarities to other operations associated with organized crime in Eastern Europe, but there is no proven direct link.

This situation reveals a concerning landscape concerning cybersecurity, crucial for businesses and everyday users. The increase in attack technologies and the exploitation of old vulnerabilities demand constant attention from security professionals.