Outlaw hackers return with cryptocurrency mining botnet

The group is using Chinese victims as guinea pigs to try out their malware.
Written by Charlie Osborne, Contributing Writer

The Outlaw hacking group has reemerged and is once again on the radar of cybersecurity researchers following the detection of a botnet attacking systems to mine for cryptocurrency.

The botnet spreads a miner for Monero (XMR), Trend Micro said in a blog post on Thursday.

After a honeypot operated by the cybersecurity firm detected a URL spreading the botnet, the team found that the miner was bundled with a Perl-based backdoor component and an SSH backdoor, both of which are elements associated with previous Outlaw attacks.

The latest campaign has focused on China, and considering that the researchers believe Outlaw is still in the testing stage -- due to clues in shell script components and unexecuted, dormant malicious files -- victims may be acting as test subjects for further development of the malware and botnet at large.

See also: Fortune 500 company leaked 264GB in client, payment data

To begin the infection chain, Outlaw attempts to brute-force systems via SSH. A shell script is then deployed which downloads and executes the miner payload, as well as extract a TAR file which contains additional malicious scripts and backdoor.

The TAR folder contains binaries which related to the cryptocurrency miner used by the original payload, shell scripts for the execution of the payload, and scripts to control the backdoor.

In addition, there are scripts which are able to detect rival miners already installed on a target system and, if necessary, delete them to eradicate competing forces when CPU power is stolen during mining operations.

One of the files of particular interest, rsync, is a Perl-based Shellbot which is able to download and execute files and shell commands, as well as launch distributed denial-of-service (DDoS) attacks.

Now that infection has been established and the system has been connected to Outlaw's botnet, the malware will start looking around for more targets to infect. Two files downloaded by the scripts, tsm32 and tsm64, act as scanners to propagate the miner and are also able to send remote commands to execute malware.

TechRepublic: Evernote Chrome extension vulnerability allowed attackers to steal 4.6M users' data

"Given that Perl is installed in the machine, the use of Perl programming language for its backdoor ensures the malware flexibility to execute in both Linux- and Windows-based systems," Trend Micro says. "And should the group decide to sell the code, the maintenance of the code would be easier for the buyer for more possible uses, adjustments, and execution."

The presence of an APK, as of yet unused, suggests that Android may be the next operating system Outlaw will try to attack.

CNET: New tool debunks deepfakes of Trump and other world leaders

The techniques used in the new campaign are similar to a previous Outlaw attack wave detected in November 2018.

Two variants were spotted last year, of which used a miner and a Haiduc-based dropper, whilst the other utilized brute-force attacks and attempted to exploit the Microsoft Remote Desktop Protocol and cloud administration cPanel for the purpose of privilege escalation. In both cases, a Monero miner was deployed and over 200,000 systems were infected worldwide. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards