Outlaw group uses botnet for scanning, cryptomining and brute-forcing

Outlaw hackers used Shellbot trojan variant to target organizations

Outlaw group started a botnetThe sophisticated botnet, launched by so-called Outlaw group, was observed mining crypto, scanning the internet for vulnerable servers and conducting brute-force attacks.

Security researchers from Trend Micro published[1] a report about a new botnet malware distributed by so-called Outlaw hacking group, which previously compromised FTP servers of Japanese art institution and Bangladeshi government website.[2] Threat actors' main goal is to expand the botnet and operate it as a network-scanning and crypto-mining utility. The group utilizes haiduc – a hacking tool used by cybercriminals to scan the internet for the vulnerable servers.

Experts observed Perl-Based Shellbot[3] that targeted a variety of organizations and exploited a common command injection vulnerability on Linux servers and IoT gadgets, although Android and Windows-based devices were also affected. The malware used Internet Relay Chat (IRC) layer protocol to communicate with hacker-controlled Command and Control servers.

Initially, Outlaw group used the built infrastructure to perform DDoS attacks on criminals' targets. However, the capabilities evolved with bad actors adding the brute-force feature, as well as a crypto mining operation. The threat is recognized as Coinminer.SH.MALXMR.ATNJ by Trend Micro.

According to researchers, the new botnet already affected over 180,000 hosts and an additional 20,000 newly compromised hosts, which include IoT devices, Windows and cloud-based servers, and thousands of websites.

Enhanced coin mining capabilities and exploitation of RDP and cloud administration cPanel

According to research, two different activities were spotted from malware. The first version has two functionalities:

  • Haiduc-based dropper
  • The coin miner

The coin mining script is capable of avoiding detection by continually scanning IPS[4] and Firewalls. It also consists of two parts – plain text bash/Perl script and obfuscated Perl script.

Before the malware starts coin mining process, it checks the system whether or not other mining scripts are running. If any such operations are found, they are killed and Outlaw and restarted with its own binaries. Meaning, that the bot is capable of hijacking all coin mining processes on the system. Then, malicious scripts are downloaded in order to run a Monero cryptocurrency mining process, which can affect both Android and Linux devices.

As soon as the crypto mining process is established, the bot reports to hackers via the website using a random name and a PHP script.

The haiduc-based dropper is responsible for the bot's proliferation. It exploits SSH[5] service hosts to launch brute-force attacks. Once successful, the bot sends an email to botnet administrator by commanding PHP script instead of using IRC. It also exploits the RDP environment and cloud administration cPanel even further and gives itself administrative privileges.

The ever-evolving threat

Considering that previous variants of malware were found less than a month ago, and with new ones coming out, Outlaw’s botnet is evolving. It gained PHP capabilities that are by far more superior compared to the IRC-based communication, increasing the effectiveness of C&C servers.

At first, the Outlaw botnet was created for DDoS attacks against high-profile organizations. However, the new functionalities added, like brute-forcing and cryptocurrency mining, allowed threat actors to develop a sophisticated malware that can bypass certain security measures and spread fast.

Nevertheless, users should employ comprehensive security solutions in order to protect themselves from Outlaw's cyber attacks.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions