Outlaw Shellbot Infects Linux Servers To Mine For Monero

The Outlaw group is conducting an active campaign which is targeting Linux systems in cryptocurrency mining attacks.

On Tuesday, the JASK Special Ops research team disclosed additional details (.PDF) of the attack wave which appears to focus on seizing infrastructure resources to support illicit Monero mining activities.

The campaign uses a refined version of Shellbot, a Trojan which carves a tunnel between an infected system and a command-and-control (C2) server operated by threat actors. 

The backdoor is able to collect system and personal data, terminate or run tasks and processes, download additional payloads, open remote command line shells, send stolen information to a C2, and also receive additional malware payloads from controllers.

The bot first emerged in November 2018. According to Trend Micro, the malware is the work of the Outlaw group, a rough translation derived from "haiduc," a Romanian phrase which has been bequeathed to the main hacking tool the group uses.

Shellbot is an IRC bot which is distributed through common command injection vulnerabilities which target not only vulnerable Linux servers, but also a variety of Internet of Things (IoT) devices.

The cybersecurity researchers note that Shellbot has the capacity to affect Windows environments and Android devices, too, but such infections are uncommon.

See also: Facebook's worst privacy scandals and data disasters

In attacks recorded in November by Trend Micro, Outlaw was able to compromise a File Transfer Protocol (FTP) server of a Japanese art organization, alongside a Bangladeshi government website. Another attack recorded by JASK, which is most likely from the same threat group, managed to break into multiple Linux servers belonging to a single, unnamed company.

Each of these systems received payloads post-infection including IRC C2 botware, cryptomining malware, and the haiduc SSH scan and network propagation toolkit. The cryptocurrency malware in question was a mining script, XMR-Stak, designed to utilize stolen server resources to mine for Monero (XMR).

The pool used to generate cryptocurrency, however, is currently down and the only clues available shows that the pool was hosted on a game server.

"This indicates that these campaign actors may have built their own mining pool infrastructure on this provider instead of using publicly available ones," the researchers say.

TechRepublic: How to secure NGINX with Let's Encrypt

The threat actors target organizations through denial-of-service (DoS) and SSH brute-force techniques. If servers are compromised, their strength is added to the Outlaw botnet to carry on the campaign.

According to JASK, the botnet is now being used to monetize compromised computing systems through distributed denial-of-service (DDoS) for hire services alongside illicit cryptomining.

The toolkit belonging to Outlaw is now also making use of a Perl-based IRC bot which has been identified as a new version of Shellbot bolstered by Perl's pack routine for the purposes of obfuscation.

CNET: The Huawei controversy: Everything you need to know

'The C2 is still active and the botnet is growing," the security researchers say. "The multistage payloads suggest reuse and repurpose of shellbot code used by operators in different regions of the world, including Brazil and Romania. JASK also has observed newly adapted payloads that craft specific mining tasks for different architectures and post exploitation worm-like behavior."

Previous and related coverage