top of page
Buscar

Outlaw on Tour Again: How a Linux botnet hijacks servers for cryptojacking

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 2 may
  • 3 Min. de lectura

ree


After months of silence, the Outlaw gang is back in action. Traced to Romanian origins and tracked since at least 2018, this threat group has resurfaced with a wave of attacks targeting poorly secured Linux systems, adding them to a growing cryptojacking botnet. Their objective: hijack computing power for illicit Monero mining, while establishing backdoor access for broader malicious operations.

The tools may be crude—SSH brute-force, old exploits, and public scripts—but the campaign is sophisticated in scale. Their methods reflect a dangerous truth: it only takes a small crack in the configuration for an actor like Outlaw to take full control of a machine.


Linux machines as targets: A global botnet recruitment tour


Recent telemetry confirms that Outlaw is actively targeting Linux servers across the Americas, Europe, and Asia. Countries with observed infections include Brazil, the United States, Germany, Italy, Thailand, Singapore, Taiwan, and Canada. In each case, the common denominator is the same: internet-facing Linux machines with weak credentials or outdated patches.

Victims are not limited to enterprise infrastructure. The group also targets embedded systems and lightweight Linux distributions—such as routers, NAS devices, and IoT equipment—when exposed services like Telnet or SSH are left unsecured.

This wide targeting strategy enables Outlaw to grow its botnet rapidly, recruiting any machine with enough CPU power and poor enough defenses to become useful in cryptomining operations.


Stage Breakdown: Infection flow and tools in the setlist


Outlaw’s infection routine begins with large-scale scanning to identify SSH services exposed to the public internet. Once located, the attackers attempt to brute-force credentials. If successful, they deploy a shell script designed to do three things: clear competition, implant persistence, and activate mining.

The infection chain looks like this:

  • A dropper script (often named tddwrt7s.sh) downloads a compressed archive (dota3.tar.gz) from the attacker’s server.

  • This archive includes:

    • A modified version of XMRig, optimized to maximize CPU usage via hugepages.

    • A binary named kswap01, which acts as a stealthy communication agent with the C2 infrastructure.

    • A Perl backdoor disguised as rsync, designed to run in the background while ignoring termination signals.

    • SHELLBOT, the core of Outlaw’s remote access. It connects to IRC-based C2 servers and allows attackers to:


      • Execute arbitrary commands.

      • Launch DDoS attacks.

      • Scan for open ports.

      • Upload or download files.

      • Exfiltrate credentials and sensitive system data.

Once active, the script kills off any existing mining processes—both from prior infections and from legitimate users—and automatically terminates any system process consuming more than 40% of the CPU. This guarantees exclusive resource access for the attacker's payload.

The botnet’s self-propagation module, known as BLITZ, continuously scans for more SSH targets, using lists received from a dedicated C2 to expand the network.


Persistence, stealth, and adaptability: Staying hidden in plain sight


Despite using known techniques, Outlaw’s persistence mechanisms are effective. By adding their own SSH keys to the authorized_keys file, they ensure ongoing access even after password resets. The use of cron jobs, renamed processes, and mimicry of legitimate system binaries like rsync and kswap01 helps them blend into typical system activity.

Even more concerning is the group’s ability to update their toolset over time. Earlier versions of the malware relied heavily on crude shell scripts. More recent variants incorporate Perl, IRC-based C2, and conditional logic to clean traces of previous infections before deploying their own.

This ability to “wipe and replace” ensures that once a machine joins the Outlaw botnet, it serves only one master.


Loot and damage: What’s at stake


Outlaw’s primary goal is resource theft—using the victim’s hardware to mine Monero. But the damage goes beyond CPU cycles:


  • System slowdown and service degradation, which can render servers unstable or unavailable.

  • Data theft, including credentials, SSH keys, and files accessed through SHELLBOT.

  • Potential lateral movement, especially in networks where Linux systems coexist with poorly segmented infrastructure.

  • Use in further attacks, such as DDoS or port scanning, making victims unwilling participants in broader criminal activity.

In essence, infected systems become digital mercenaries, unknowingly serving criminal operations while risking regulatory and reputational fallout.


Defense: Hardening SSH, limiting exposure, and watching for smoke


Despite the clear threat, defending against Outlaw is relatively straightforward—provided organizations follow foundational security practices. To mitigate risk:


  • Disable SSH password authentication; require key-based login only.

  • Patch known vulnerabilities, including CVE-2016-8655 and CVE-2016-5195 (Dirty COW).

  • Monitor system processes for binaries masquerading as legitimate (rsync, kswap01, etc.).

  • Block outbound IRC traffic, unless explicitly needed.

  • Audit and control scheduled tasks, especially cron jobs created without authorization.

  • Deploy brute-force detection tools and rate-limiting on exposed services.

  • Segment critical infrastructure, to contain lateral movement from infected Linux nodes.

Even one misconfigured Linux server can become a door to broader compromise. Outlaw’s campaign is a reminder that no target is too small, and no method too outdated, when basic security hygiene is ignored.




 
 
 

Comentarios

bottom of page