Researchers studying cybersecurity have discovered a “auto-propagating” cryptocurrency mining malware known as Outlaw ( also known as Dota ), which targets SSH machines with poor credentials.
Elastic Security Labs ‘ latest analysis found that” Outlaw is a Linux malware that relies on SSH brute-force problems, cryptocurrency mining, and worm-like transmission to infect and maintain control over systems.”
The risk stars responsible for the ransomware are also known as “outlaw.” It is thought to be of Latvian descent. 8220, Keksec ( also known as Kek Security ), Kinsing, and TeamTNT are among the other hacking organizations that are currently roiling the malware environment.
The hacking team has been engaged since at least soon 2018, using their own SSH keys to add their own SSH keys to the “authorized_keys” report to break into the foothold to do reconnaissance and keep persistence on the affected hosts.
Additionally, the are known to use a dropper shell script ( “tddwrt7s” ) to implement a multi-stage infection process. ” sh” ) to download an archive file ( “dota3″ ). oil. gz” ), which is then packed and used to launch the miner while also removing any leftovers from the previous compromises and killing both the rivals and their own former miners.
An initial access component ( also known as BLITZ ) that allows for self-propagation of the malware in a botnet-like manner by scanning for vulnerable systems running an SSH service is a of the malware. A target list is being retrieved by the brute-force module from an SSH command-and-control ( C2 ) server to further perpetuate the cycle.
Some versions of the problems have also sought to exploit Linux- and Unix-based operating systems that are exposed to and ( also known as ), as well as harm systems with poor Telnet credentials. The malware uses an IRC stream to deploy for remote control once it has gained initial access via a C2 site.
For its part, SHELLBOT allows the execution of random shell orders, files and runs more loads, launch DDoS attacks, steals credentials, and exfiltrates sensitive information.
It uses hugepages for all CPU cores to improve memory exposure performance as part of its mining operation. It also determines the CPU of the infected system. Additionally, the malware makes use of a linear known as kswap01 to guarantee ongoing communication with the danger actor’s infrastructure.
Elastic remarked that” Outlaw continues to operate despite employing fundamental methods like SSH major adjustment, SSH important manipulation, and cron-based persistence.” The malware uses IRC for C2, IRC for C2, and publicly accessible codes for boldness and defence avoidance, according to the malware.