Cybersecurity researchers have recently uncovered a sophisticated, self-propagating cryptocurrency mining botnet known as Outlaw, also referred to as Dota. This malicious network specifically targets SSH servers with weak credentials, posing a significant threat to Linux-based systems.
Outlaw operates by conducting brute-force attacks on SSH servers, exploiting weak or default passwords to gain unauthorized access. Once a server is compromised, the malware installs cryptocurrency mining software, effectively hijacking the server’s resources to mine digital currencies without the owner’s consent. This process not only depletes system resources but can also lead to increased operational costs and potential system instability.
The Outlaw group, believed to have Romanian origins, has been active since at least late 2018. Their modus operandi involves scanning for vulnerable SSH servers, gaining access through brute-force methods, and then establishing persistence by adding their own SSH keys to the authorized_keys file. This tactic ensures continued access to the compromised system, even if passwords are changed.
The infection process employed by Outlaw is multi-faceted. Initially, a dropper shell script named tddwrt7s.sh is used to download an archive file called dota3.tar.gz. Once unpacked, this archive launches the cryptocurrency miner and simultaneously removes traces of previous infections. Notably, the malware is designed to eliminate both competing miners and any of its own older versions that may be present on the system.
A distinctive feature of the Outlaw malware is its self-propagation capability, referred to as BLITZ. This component scans for other vulnerable systems running SSH services, enabling the malware to spread in a botnet-like fashion. The brute-force module fetches target lists from an SSH command-and-control (C2) server, perpetuating the cycle of infection.
In some instances, the Outlaw group has exploited specific vulnerabilities in Linux and Unix-based operating systems, such as CVE-2016-8655 and CVE-2016-5195 (commonly known as Dirty COW). Additionally, they have targeted systems with weak Telnet credentials. Upon gaining initial access, the malware deploys SHELLBOT, allowing remote control via an IRC channel connected to the C2 server.
SHELLBOT facilitates various malicious activities, including executing arbitrary shell commands, downloading and running additional payloads, launching Distributed Denial-of-Service (DDoS) attacks, stealing credentials, and exfiltrating sensitive information.
To optimize its mining operations, the malware assesses the CPU capabilities of the infected system and enables hugepages for all CPU cores, enhancing memory access efficiency. It also utilizes a binary named kswap01 to maintain persistent communication with the threat actor’s infrastructure.
Despite relying on relatively basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence, the Outlaw group remains active and effective. Their malware deploys modified XMRig miners, leverages IRC for command and control, and incorporates publicly available scripts for persistence and defense evasion.
