Cybersecurity experts have shed light on a self-replicating cryptocurrency mining botnet known as Outlaw (also referred to as Dota), which is notorious for targeting SSH servers with weak login credentials.
According to Elastic Security Labs, in a recent analysis, “Outlaw is a Linux-based malware that relies on SSH brute-force attacks, cryptocurrency mining, and worm-like propagation to infect and maintain control over systems.”
The term “Outlaw” is also used to refer to the threat actors behind the malware, who are believed to be of Romanian origin. Other prominent groups in the cryptojacking landscape include 8220, Keksec (also known as Kek Security), Kinsing, and TeamTNT.
The hacking group has been active since at least late 2018 and has been known to brute-force SSH servers, exploiting the foothold to conduct reconnaissance and maintain persistence on the compromised hosts by adding their own SSH keys to the “authorized_keys” file.
The attackers are also known to incorporate a multi-stage infection process that involves using a dropper shell script (“tddwrt7s.sh”) to download an archive file (“dota3.tar.gz”), which is then unpacked to launch the miner while also taking steps to remove traces of past compromises and kill both the competition and their own previous miners.
A notable feature of the malware is an initial access component (also known as BLITZ) that allows for self-propagation of the malware in a botnet-like fashion by scanning for vulnerable systems running an SSH service. The brute-force module is configured to fetch a target list from an SSH command-and-control (C2) server to further perpetuate the cycle.
Some iterations of the attacks have also resorted to exploiting Linux- and Unix-based operating systems susceptible to CVE-2016-8655 and CVE-2016-5195 (also known as Dirty COW), as well as attack systems with weak Telnet credentials. Upon gaining initial access, the malware deploys SHELLBOT for remote control via a C2 server using an IRC channel.
SHELLBOT, for its part, enables the execution of arbitrary shell commands, downloads and runs additional payloads, launches DDoS attacks, steals credentials, and exfiltrates sensitive information.
As part of its mining process, it determines the CPU of the infected system and enables hugepages for all CPU cores to increase memory access efficiency. The malware also makes use of a binary called kswap01 to ensure persistent communications with the threat actor’s infrastructure.
According to Elastic, “Outlaw remains active despite using basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence. The malware deploys modified XMRig miners, leverages IRC for C2, and includes publicly available scripts for persistence and defense evasion.”
