The cybercriminal group known as Outlaw, active since at least 2018, has re-emerged with a more sophisticated malware toolkit aimed at Linux servers worldwide. Recent investigations have uncovered that the group is now focusing on cryptographic mining and botnet expansion, exploiting weak SSH credentials to infiltrate systems across various regions, including Brazil, the United States, Germany, Italy, and Southeast Asia.
Infection Mechanism:
Outlaw’s primary method of gaining access involves brute-force attacks against SSH services, targeting accounts with default or easily guessable passwords. Once access is secured, the attackers deploy a multi-stage payload that includes:
– Shell Script Execution: A shell script (`tddwrt7s.sh`) is executed to download and decompress a malicious archive (`dota.tar.gz`).
– Payload Deployment: The archive creates a hidden directory (`.configrc5`) containing components for process manipulation, cryptocurrency mining, and command-and-control (C2) communication.
Malware Components:
The toolkit comprises several key elements:
– XMRig Miner: A UPX-packed XMRig miner (`kswapd0`) is deployed to utilize the victim’s resources for mining cryptocurrency.
– IRC Botnet Client: An obfuscated Perl-based IRC client is used for C2 communication, enabling remote command execution and potential DDoS attacks.
– Persistence Mechanisms: The attackers ensure continued access by replacing the victim’s `.ssh/authorized_keys` file with their own public key and injecting cron jobs to maintain the malware’s presence.
Evasion and Anti-Forensic Techniques:
Outlaw employs several strategies to evade detection and maintain control over infected systems:
– Competing Miner Removal: The malware identifies and terminates rival mining processes to monopolize system resources.
– Tor Integration: Utilizing Tor proxies, the malware conceals its communication with mining pools, enhancing anonymity.
– Process Whitelisting: The toolkit includes mechanisms to whitelist its own processes, preventing self-termination and ensuring uninterrupted operation.
Global Impact and Mitigation Strategies:
The resurgence of Outlaw underscores the persistent threat posed by cybercriminal groups targeting Linux environments. Organizations are advised to implement robust security measures, including:
– SSH Hardening: Disable password authentication and enforce the use of SSH keys to prevent unauthorized access.
– Regular System Audits: Conduct frequent reviews of system logs and configurations to detect and respond to unauthorized activities promptly.
– Resource Monitoring: Monitor system performance for unusual spikes in CPU or network usage, which may indicate malicious activities such as cryptomining.
By adopting these proactive measures, organizations can enhance their defenses against sophisticated threats like those posed by the Outlaw cybergang.
