New Linux Botnet SSHStalker Leverages Vintage IRC Protocol for Command Control

A newly discovered Linux botnet named SSHStalker is resurrecting Internet Relay Chat (IRC) - a protocol dating back to 1988 - for its command-and-control infrastructure, according to researchers at threat intelligence firm Flare. This unexpected choice highlights how attackers are blending vintage technologies with modern cloud infrastructure to create resilient malware ecosystems.

SSHStalker's reliance on IRC provides several operational advantages: Its text-based nature requires minimal bandwidth, supports multi-server redundancy through channel hopping, and offers implementation simplicity compared to modern frameworks. As Flare researchers note, this creates "a loud, stitched-together botnet kit that mixes old-school IRC control with compiling binaries on hosts, mass SSH compromise, and cron-based persistence" - essentially prioritizing reliability and scale over stealth.

The infection chain begins with an SSH scanner disguised as the legitimate nmap network tool, which brute-forces credentials on cloud servers. After compromise, victims download the GCC compiler to build payloads locally, enhancing evasion. The malware then connects to IRC servers using hard-coded credentials, joining channels like '#infected machines' to receive commands. Persistence is maintained through cron jobs executing every 60 seconds - an unusually aggressive cycle that relaunches components if terminated.

Notably, SSHStalker exploits 16 known vulnerabilities in Linux kernels dating back to 2009-2010, including privilege escalation flaws detailed in the CVE database. Its current capabilities include AWS credential harvesting, website scanning, and cryptomining via the PhoenixMiner software, though researchers haven't observed active DDoS attacks despite having the capability.

Practical Defense Recommendations

Flare recommends these specific mitigation strategies:

1. SSH Hardening: Disable password authentication entirely in favor of SSH key-based authentication
2. Compiler Restrictions: Remove GCC and other compilation tools from production server images
3. Process Monitoring: Alert on compiler execution or IRC protocol traffic (typically TCP ports 6660-7000)
4. Cron Vigilance: Flag cron jobs executing from unusual paths (especially /dev/shm) with sub-5-minute intervals
5. Egress Filtering: Restrict outbound traffic from servers to essential services only

"This botnet's operational choices reveal a cost-benefit analysis favoring resilience over sophistication," explains a Flare security analyst. "While lacking stealth, its IRC foundation provides redundancy against takedowns - a reminder that legacy protocols still pose risks when combined with modern cloud infrastructure."