The Outlaw group is reportedly using a sophisticated version of Shellbot to carry out attacks against Linux systems and mine Monero (XMR), a privacy-focused coin. Shellbot is a Trojan horse that allows hackers to take control of infected systems using a command and control server (C2).
Jask Special Ops researchers are investigating attacks that take control of infrastructure so hackers can engage in illegal XMR mining. It can steal personal and system data, take control of tasks and processes, and remotely open command line shells. Trend Micro says the first of these IRC bots appeared in November 2018 and is the work of the Outlaw group.
The researchers noted that Shellbot has the ability to infect Windows systems and Android devices, but such occurrences are extremely rare. The first attack in November compromised the FTP servers of a Japanese arts organization and the Bangladesh government's websites. Jask concluded that the third attack compromised multiple Linux servers belonging to a single entity. In both cases, the systems were infected with IRC C2 botware along with the haiduc SSH scanning and network propagation kit. The system also received a cryptomining malware script that uses illegally obtained server resources to enable the mining of XMR.
Organizations are targeted through denial of service (DoS) and brute force techniques. Once the servers are compromised, the Outlaw group's botnet is strengthened and able to continue its attacks. Jask Special Ops claims that current botnets use distributed denial of service (DDoS) and illegal cryptomining to monetize compromised systems. The Outlaw Group's network propagation toolkit reportedly uses a Perl-based IRC bot for obfuscation purposes.
After examining the payloads received, Jask Special Ops believes that the mining pool configuration involved in the latest attack is a Dutch VPS provider. This VPS provider hosts multiple game servers, which Jask believes allows the perpetrators of these attacks to run their own cryptomining infrastructure on top of this VPS provider, rather than using a publicly available provider. We believe this suggests that a structure may have been constructed.
Jusk said the Outlaw group's attack motive is similar to that of other groups targeting exposed Linux servers: “widespread propagation and revenue generation through illegal cryptomining on exploited infrastructure.” I am guessing that it is. One of the reasons Monero mining is so attractive to hackers is because they have access to such a large number of computers. XMR can be used to purchase goods and services available on the cryptocurrency market.
Jask's mission is to reduce risk and improve human efficiency for organizations using technology integration, enhanced artificial intelligence, and machine learning. The company's Autonomous Security Operations Center (ASOC) helps SOC analysts focus on threats, streamline investigations, and improve response times. Jask ASOC has identified signs of post-infection behavior from infected Linux devices. They believe the credentials were compromised through brute force or credential stuffing, allowing hackers to gain access to the victim's infrastructure.
