The Outlaw hacking group is reemerged in the cryptocurrency scene yet again and is reportedly targeted, Chinese victims. The group has launched yet another crypto mining botnet that attacks users’ systems to mine for digital currencies.
Monero miner detected
A new Monero (XMR) botnet was reported by Trend Micro this Thursday. The cybersecurity firm first detected a URL spreading a crypto mining botnet. After some investigation, the team found that the miner was bundled with a Perl-backed backdoor component. It also carried an SSH backdoor, both typical features of attacks led by the Outlaw group.
The hackers try to attempt a brute-force user system using SSH and then deploy a shell script on the computer. This script then downloads and executes Monero miner payload.
The threat could be larger than expected
The campaign is focused on China, and the researchers believe that hackers are testing their new project on unsuspecting users. They found clues in the shell script components alongside dormant, unexecuted malicious files suggesting that the hackers could develop the malware further.
The shell script contains a TAR file which comes with backdoor and malicious scripts. It also contains binaries relating to the cryptocurrency miner which was delivered by the original payload. Other components include shell scripts for payload execution and other scripts to control the backdoor. There are additional scripts that could detect rival miners already installed on the system. If necessary, the script could delete these miners and remove competitors who want to use the system’s computing power.
One file in the package is rsync, a Shellbot based on Perl which cannot only download and execute shell commands and files but also launch a distributed denial-of-service (DDoS) attack. The researchers discovered two files, tsm32 and tsm64, that can work like scanners and spread the miner. These two files are also capable of sending remote commands that could execute the malware. The botnet could now be looking for more targets to infect and scale its presence.
According to Trend Micro, using Perl programming language ensures that the malware could be executed on both Windows and Linux-based operating systems. If the group decides to sell this code, the maintenance of the malware could be much easier because of Perl and allow flexibility of adjustments and executions to the buyers.
The researchers have also warned that there is an unused APK in the package which could make Android-based phones the next targets for Outlaw hackers. The last wave of their activity was recorded in November 2018 that used a Haiduc-based dropper and a miner. A variant of this malicious program was designed to brute-force attacks on Microsoft Remote Desktop Protocol.