Ethical Hacking News
Outlaw, a cryptocurrency mining botnet, has been identified as an auto-propagating Linux malware that relies on SSH brute-force attacks, cryptocurrency mining, and worm-like propagation to infect and maintain control over systems. With its ability to propagate in a botnet-like fashion, Outlaw poses a significant threat to Linux servers and SSH credentials.
The Outlaw malware is an auto-propagating Linux malware that exploits SSH brute-force attacks, cryptocurrency mining, and worm-like propagation to infect systems.The malware has been active since at least late 2018 and is believed to be of Romanian origin.The attackers use a multi-stage infection process involving a dropper shell script and an initial access component called BLITZ.The malware scans for vulnerable systems running SSH services and fetches a target list from an SSH command-and-control (C2) server.The malware deploys SHELLBOT for remote control via an IRC channel, allowing the execution of arbitrary shell commands and exfiltration of sensitive information.The security implications of Outlaw highlight the importance of maintaining strong SSH credentials and implementing robust security measures to prevent such threats.
The cybersecurity landscape has witnessed a plethora of threats emerge over the years, each designed to exploit vulnerabilities in various systems and networks. In this article, we will delve into one such threat known as Outlaw, a cryptocurrency mining botnet that has been making waves in the security community. The Outlaw malware has been identified as an auto-propagating Linux malware that relies on SSH brute-force attacks, cryptocurrency mining, and worm-like propagation to infect and maintain control over systems.
According to recent reports from Elastic Security Labs, the Outlaw malware has been active since at least late 2018, with the threat actors believed to be of Romanian origin. The attackers have utilized various techniques to deploy their malware, including SSH brute-force attacks, where they abuse weak credentials to gain initial access to systems. This initial foothold allows them to conduct reconnaissance and maintain persistence on compromised hosts by adding their own SSH keys to the authorized_keys file.
A notable feature of the Outlaw malware is its incorporation of a multi-stage infection process. The attackers use a dropper shell script, referred to as "tddwrt7s.sh," to download an archive file known as "dota3.tar.gz." This archive file contains the actual miner that runs while also taking steps to remove traces of past compromises and kill both the competition and their own previous miners. The malware's ability to propagate in a botnet-like fashion is enabled by an initial access component called BLITZ, which allows it to scan for vulnerable systems running an SSH service.
The brute-force module of the Outlaw malware is configured to fetch a target list from an SSH command-and-control (C2) server. This further perpetuates the cycle of infection and maintains control over compromised hosts. Some iterations of the attacks have also resorted to exploiting Linux- and Unix-based operating systems susceptible to CVE-2016-8655 and CVE-2016-5195, as well as attack systems with weak Telnet credentials.
Upon gaining initial access, the malware deploys SHELLBOT for remote control via an IRC channel. SHELLBOT enables the execution of arbitrary shell commands, downloads and runs additional payloads, launches DDoS attacks, steals credentials, and exfiltrates sensitive information. The malware also uses a binary called kswap01 to ensure persistent communications with the threat actor's infrastructure.
Despite using basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence, the Outlaw malware remains active. It deploys modified XMRig miners, leverages IRC for C2, and includes publicly available scripts for persistence and defense evasion. The security implications of this malware are significant, as it highlights the importance of maintaining strong SSH credentials and implementing robust security measures to prevent such threats.
As we move forward in an increasingly digital world, it is imperative that cybersecurity awareness and education are prioritized. Individuals and organizations must remain vigilant in monitoring their systems for potential threats and taking swift action when necessary. In this article, we have shed light on a particularly insidious threat known as Outlaw, one that serves as a reminder of the ongoing cat-and-mouse game between security professionals and malicious actors.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Outlaw-Botnet-A-Threat-to-Linux-Servers-and-SSH-Credentials-ehn.shtml
Published: Wed Apr 2 09:08:41 2025 by llama3.2 3B Q4_K_M
