Outlaw hacking group kills existing cryptocurrency miners in enterprise server attacks

A recent update also revealed a pivot towards corporate systems with weak patch management practices.

Hijacked botnet: Someone is messing with the Phorpiex malware Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus

The Outlaw hacking group has remerged after months of quiet with an upgraded toolset designed for data theft and for plundering enterprise resources in the quest for cryptocurrency. 

Outlaw, first spotted back in 2018, is a threat group that has been in testing and malware development stages over the past year. 

In June 2019, researchers from Trend Micro said that unexecuted, malicious commands and clues in shell script components of a botnet developed by the cyberattackers indicated that Chinese victims were likely guinea pigs for botnet-based cryptocurrency mining campaigns.

See also: Outlaw hackers return with cryptocurrency mining botnet

The botnet is equipped with a Monero (XMR) miner and following a period of inactivity has now been bolstered with improvements, including the ability to find and eradicate existing cryptocurrency miners on infected systems. 

Trend Micro observed an uptick in activity in December, in which attacks moved from the Chinese testing ground to the US and Europe, the cybersecurity firm said in a blog post on Monday. 

According to the team, other upgrades have also taken place including "expanded scanner parameters and targets, looped execution of files via error messages, improved evasion techniques for scanning activities, and improved mining profits by killing off both the competition and their own previous miners."

CNET: Foreign hackers are targeting more US government agencies, report says

Outlaw is targeting Linux- and Unix-based operating systems, Internet of Things (IoT) devices, and vulnerable corporate servers. 

Currently, Outlaw is exploring CVE-2016-8655 and the Dirty COW exploit (CVE-2016-5195) as potential entryways for exploit kits, alongside PHP-based web shells used to try and crack servers with poor SSH and Telnet credentials. These vulnerabilities are years old, and so by focusing on them, this could indicate that Outlaw wants to stay under the radar by targeting servers with next to no security or patch processes.

"It appears that they're going after enterprises who have yet to patch their systems, as well as companies with Internet-facing systems with weak to no monitoring of traffic and activities," the researchers say. 

TechRepublic: Kubernetes rollouts: 5 security best practices

Samples obtained by the team suggest that cryptocurrency mining is not the only avenue for illicit revenue that Outlaw is exploring. In addition, malware has been found that focuses on the theft of data from compromised servers, mainly geared towards the automotive and financial sectors. This information could then potentially be sold on for a profit. 

Enterprise servers may not be the only new targets that Outlaw is examining. The researchers also found evidence of Android APKs and Android Debug Bridge (ADB) commands that could be used to force Android-based smart television sets to mine for cryptocurrency. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0