silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,057
The Outlaw hacking group has reemerged and is once again on the radar of cybersecurity researchers following the detection of a botnet attacking systems to mine for cryptocurrency. The botnet spreads a miner for Monero (XMR), Trend Micro said in a blog post on Thursday.
After a honeypot operated by the cybersecurity firm detected a URL spreading the botnet, the team found that the miner was bundled with a Perl-based backdoor component and an SSH backdoor, both of which are elements associated with previous Outlaw attacks.
The latest campaign has focused on China, and considering that the researchers believe Outlaw is still in the testing stage -- due to clues in shell script components and unexecuted, dormant malicious files -- victims may be acting as test subjects for further development of the malware and botnet at large.
To begin the infection chain, Outlaw attempts to brute-force systems via SSH. A shell script is then deployed which downloads and executes the miner payload, as well as extract a TAR file which contains additional malicious scripts and backdoor.
The TAR folder contains binaries which related to the cryptocurrency miner used by the original payload, shell scripts for the execution of the payload, and scripts to control the backdoor.
In addition, there are scripts which are able to detect rival miners already installed on a target system and, if necessary, delete them to eradicate competing forces when CPU power is stolen during mining operations.