A New Cryptocurrency Mining Botnet Launched by Outlaw Hacking Group

The Outlaw hacking group is reemerged in the cryptocurrency scene yet again and is reportedly targeted, Chinese victims. The group has launched yet another crypto mining botnet that attacks users’ systems to mine for digital currencies.

Monero miner detected

A new Monero (XMR) botnet was reported by Trend Micro this Thursday. The cybersecurity firm first detected a URL spreading a crypto mining botnet. After some investigation, the team found that the miner was bundled with a Perl-backed backdoor component. It also carried an SSH backdoor, both typical features of attacks led by the Outlaw group.

A New Cryptocurrency Mining Botnet Launched by Outlaw Hacking Group

The hackers try to attempt a brute-force user system using SSH and then deploy a shell script on the computer. This script then downloads and executes Monero miner payload.

The threat could be larger than expected

The campaign is focused on China, and the researchers believe that hackers are testing their new project on unsuspecting users. They found clues in the shell script components alongside dormant, unexecuted malicious files suggesting that the hackers could develop the malware further.

The shell script contains a TAR file which comes with backdoor and malicious scripts. It also contains binaries relating to the cryptocurrency miner which was delivered by the original payload. Other components include shell scripts for payload execution and other scripts to control the backdoor. There are additional scripts that could detect rival miners already installed on the system. If necessary, the script could delete these miners and remove competitors who want to use the system’s computing power.

One file in the package is rsync, a Shellbot based on Perl which cannot only download and execute shell commands and files but also launch a distributed denial-of-service (DDoS) attack. The researchers discovered two files, tsm32 and tsm64, that can work like scanners and spread the miner. These two files are also capable of sending remote commands that could execute the malware. The botnet could now be looking for more targets to infect and scale its presence.

According to Trend Micro, using Perl programming language ensures that the malware could be executed on both Windows and Linux-based operating systems. If the group decides to sell this code, the maintenance of the malware could be much easier because of Perl and allow flexibility of adjustments and executions to the buyers.

The researchers have also warned that there is an unused APK in the package which could make Android-based phones the next targets for Outlaw hackers. The last wave of their activity was recorded in November 2018 that used a Haiduc-based dropper and a miner. A variant of this malicious program was designed to brute-force attacks on Microsoft Remote Desktop Protocol.

Top brokers for buying and trading cryptocurrencies

  • Platform
  • Features
  • Rating
  • Visit Site
  • US-Friendly
  • Paypal accepted
  • 12+ cryptocurrencies

Visit Site
75% of retail investors lose money.
eToro Reviews

    eToro Reviews your account
    Hide eToro Reviews
    • Best broker for non-US countries
    • Trade crypto CFDs, forex and stocks
    • No withdrawal or deposit fees

    Visit Site
    80.5% of retail investors lose money.
    Plus500 Reviews

      Plus500 Reviews your account
      Hide Plus500 Reviews
      Remember, all trading carries risk. Past performance is no guarantee of future results.

      Sherlock Gomes loves to write and express his views on anything related to Crypto. He has been covering Crypto for more than two years now. He likes Bitcoin and Cardano. He also writes on Finance, Healthcare, and Technology among other stuff. He can be reached by e-mail on