Outlaw hackers return with cryptocurrency mining botnet
The Outlaw hacking group has reemerged and is once again on the radar of cybersecurity researchers following the detection of a botnet attacking systems to mine for cryptocurrency.
The botnet spreads a miner for Monero (XMR), Trend Micro said in a blog post on Thursday.
After a honeypot operated by the cybersecurity firm detected a URL spreading the botnet, the team found that the miner was bundled with a Perl-based backdoor component and an SSH backdoor, both of which are elements associated with previous Outlaw attacks.
The latest campaign has focused on China, and considering that the researchers believe Outlaw is still in the testing stage — due to clues in shell script components and unexecuted, dormant malicious files — victims may be acting as test subjects for further development of the malware and botnet at large.
To begin the infection chain, Outlaw attempts to brute-force systems via SSH. A shell script is then deployed which downloads and executes the miner payload, as well as extract a TAR file which contains additional malicious scripts and backdoor.
The TAR folder contains binaries which related to the cryptocurrency miner used by the original payload, shell scripts for the execution of the payload, and scripts to control the backdoor.
In addition, there are scripts which are able to detect rival miners already installed on a target system and, if necessary, delete them to eradicate competing forces when CPU power is stolen during mining operations.
One of the files of particular interest, rsync, is a Perl-based Shellbot which is able to download and execute files and shell commands, as well as launch distributed denial-of-service (DDoS) attacks.
Now that infection has been established and the system has been connected to Outlaw’s botnet, the malware will start looking around for more targets to infect. Two files downloaded by the scripts, tsm32 and tsm64, act as scanners to propagate the miner and are also able to send remote commands to execute malware.
“Given that Perl is installed in the machine, the use of Perl programming language for its backdoor ensures the malware flexibility to execute in both Linux- and Windows-based systems,” Trend Micro says. “And should the group decide to sell the code, the maintenance of the code would be easier for the buyer for more possible uses, adjustments, and execution.”
The presence of an APK, as of yet unused, suggests that Android may be the next operating system Outlaw will try to attack.
The techniques used in the new campaign are similar to a previous Outlaw attack wave detected in November 2018.
Two variants were spotted last year, of which used a miner and a Haiduc-based dropper, whilst the other utilized brute-force attacks and attempted to exploit the Microsoft Remote Desktop Protocol and cloud administration cPanel for the purpose of privilege escalation. In both cases, a Monero miner was deployed and over 200,000 systems were infected worldwide.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0