cron/systemd integrity monitoring, especially for ‘runs every minute’ patterns.Finally, because SSHStalker looks for older Linux machines, admins should have a legacy Linux eradication plan prioritizing the unhooking of machines with any version of Linux kernel 2.6, because these servers are being targeted.
How it was discovered: Discovery of SSHStalker came after Flare created an SSH honeypot with intentionally weak credentials at the beginning of this year, to see what happened. While the majority of attacks came from known threat actors, there was a distinct cluster from one source with no similar execution flow or prior indicators of compromise.After getting into a Linux machine, the malware creates a backdoor with its own SSH key to maintain access. It also installs a binary that scans port 22 for servers with unprotected SSH, trying to find other new and vulnerable servers. The payload also contains several C scripts, including the Linux gcc (the GNU Compiler Collection) for compiling and running malware.This stage is “loud,” Morag said, so defenders should note it can be detected with an application that looks for abnormal server behavior.Secondary payloads in a zip file include an IRC (internet relay chat) bot for communicating with a command and control server. Other stages install malware that runs in memory.”This entire execution chain is very loud,” Morag said. “they don’t need to do all of it. I guess what they are trying to do is run on Internet-of-Things [devices], but also on commercial servers.”It also suggests that the operator is still in the early stage of building the botnet, he said.But the report also says the IRC components could be used to hide activity, through things like included random chat phrases. “This strongly suggests the bot was configured not only for control, but also for behavioral camouflage,” says the report, by generating human-like noise in IRC channels to obscure real operator activity or to make automated presence appear organic. “This tactic is consistent with legacy botnet operational tradecraft, where blending into public channels reduced suspicion while still allowing operators to issue commands via private messages, DCC (direct client-to client) sessions, or linked bot networks,” the report says.The malware hunts for older Linux kernels, including versions 2.6.18, 2.6.18-164, 2.6.31, and 2.6.37. This would include roughly up to 3% of internet-facing Linux servers, Flare estimates.But it could be as much as 10% in what Flare calls long-tail environments like legacy hosting providers, abandoned VPS images, outdated appliances, industrial/OT gear, or niche embedded deployments.The kernel exploit inventory includes 16 different CVEs, five dating back to 2009 and three to 2010. Judging by the components of the malware, the operator likely understands kernel version fingerprinting, privilege escalation chaining, and mass exploitation workflows, even if they are not developing novel exploits, the report says.
Advice for infosec leaders: In addition to disabling SSH password authentication, the report recommends that infosec leaders:
set up alerts triggered when non-system processes attempt to modify login accounting records.remove compilers from production images if possible;allow toolchain execution only in controlled build environments;enforce egress filtering based on business need;use an anti-virus scanner to pick up binaries dropped by SSHStalker;monitor for unauthorized execution of gcc;set up alerts when compilers run from user directories, /tmp or /dev/shm;set up alerts when newly-compiled binaries execute within seconds or minutes of creation;set up alerts on servers to detect communication with unknown external chat or relay infrastructure.
set up alerts triggered when non-system processes attempt to modify login accounting records.remove compilers from production images if possible;allow toolchain execution only in controlled build environments;enforce egress filtering based on business need;use an anti-virus scanner to pick up binaries dropped by SSHStalker;monitor for unauthorized execution of gcc;set up alerts when compilers run from user directories, /tmp or /dev/shm;set up alerts when newly-compiled binaries execute within seconds or minutes of creation;set up alerts on servers to detect communication with unknown external chat or relay infrastructure.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4130967/sshstalker-botnet-brute-forces-its-way-onto-7000-linux-machines.html
