Unmasking Outlaw: A Persistent Linux Malware Campaign

The Outlaw threat group has been actively targeting Linux-based systems using a sophisticated malware campaign designed for cryptojacking and Distributed Denial-of-Service (DDoS) attacks. This campaign exploits vulnerabilities in misconfigured systems and unsecured SSH services, allowing the attackers to infiltrate networks and establish persistent access. The malware exhibits advanced evasion techniques, enabling it to remain undetected while mining cryptocurrency or launching attacks.

Severity Level: High

THREAT DETAILS

Threat Actor

The Outlaw hacking group, an advanced cybercriminal organization with a history of Linux-based botnet attacks. Previously associated with cryptojacking and DDoS operations.

Infection Mechanism

Initial Access:

1. Exploits vulnerable SSH configurations and outdated software to gain entry.
2. Attack begins with the tddwrt7s.sh script, which downloads dota3.tar.gz from a Command & Control (C2) server. Extracted scripts execute and trigger the infection chain.
3. Persistence: Uses scheduled tasks and obfuscated scripts to maintain access even after system reboots.
4. Lateral Movement: Spreads across networks by brute-forcing SSH credentials and leveraging existing vulnerabilities.
5. Execution & Evasion: The malware employs various techniques to evade detection, including process obfuscation and disabling security services.

Malware Capabilities

1. Cryptojacking: Deploys Monero cryptocurrency miners and XMRig miners to exploit infected system resources.
2. DDoS Attacks: Utilizes infected machines as part of a botnet to conduct large scale DDoS attacks.
3. System Manipulation: Modifies system files and configurations to prevent easy removal.
4. Data Exfiltration: May collect sensitive system information and send it to attacker-controlled servers.

Industries & Targets

1. Sectors impacted: Likely to include cloud service providers, hosting companies, and organizations with publicly exposed Linux servers.

Recommendations:

1. Regularly update Linux systems and SSH configurations to mitigate vulnerabilities.
2. Employ rate-limiting and anti-DDoS solutions to prevent botnet attacks.
3. Secure SSH Access:
   • Disable password-based authentication and enforce key-based authentication.
   • Restrict SSH access using firewall rules (e.g., allow only specific IPs).
   • Change the default SSH port (though not foolproof, it reduces exposure to automated attacks).
   • Enable two-factor authentication (2FA) for SSH logins.
4. Implement Least Privilege:
   • Ensure users and services only have the minimum privileges required.
   • Remove unused accounts and regularly review privileged users.
   • Use role-based access control (RBAC) to limit administrative rights.
5. Disable Unused Services:
   • Disable Telnet, FTP, and other insecure services that may aid attackers.
   • Uninstall unnecessary software that could be exploited.
6. Monitor CPU usage spikes which may indicate unauthorized cryptomining.
7. Check for suspicious processes running under high privilege (e.g., kswapd0, rsync, blitz).
8. Investigate if unauthorized modifications to /sys/module/msr/parameters/allow_writes exist (cryptominer optimization).
9. Block the IOCs at their respective controls

SOURCES:

• https://www.virustotal.com/gui/collection/88b77188a5da8a1de66b3fc48c39b70b36791aaef8191064cb8bdbb6f51608ad/iocs
• https://www.elastic.co/security-labs/outlaw-linux-malware

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.