FlagThis

The OUTLAW Linux botnet is rapidly expanding by targeting vulnerable SSH servers through brute-force attacks. Cybersecurity researchers have identified the botnet, also known as Dota, as an "auto-propagating" cryptocurrency mining operation that uses simple yet effective techniques to maintain persistence on compromised systems. This includes exploiting weak credentials, manipulating SSH keys, and leveraging cron jobs to ensure the malware restarts after reboots or termination attempts.

The botnet uses a multi-stage infection process, beginning with a dropper shell script that downloads and unpacks a malicious archive file. This file launches a modified XMRig miner for cryptojacking and installs components in hidden directories to avoid detection. The botnet also uses a custom SSH brute-forcer called BLITZ to scan for and infect other vulnerable systems on the network, perpetuating its spread in a worm-like fashion. Despite its basic techniques, OUTLAW has proven to be a persistent and effective threat.

ImgSrc: blogger.googleu

References :

• securityonline.info: Outlaw Linux Malware: Persistent Threat Leveraging Simplicity
• www.scworld.com: Additional details on Outlaw Linux cryptomining botnet emerge
• Cyber Security News: Attackers aim to find zero-days in the PAN-OS gateways they can exploit.
• The Hacker News: Cybersecurity researchers have shed light on an "auto-propagating" cryptocurrency mining botnet called Outlaw (aka Dota) that's known for targeting SSH servers with weak credentials.

Classification:

• HashTags: #Linux #Botnet #Cryptomining
• Company: Elastic
• Target: Vulnerable SSH Servers
• Attacker: Outlaw
• Product: SSH
• Feature: SSH Brute Force
• Malware: Dota
• Type: Malware
• Severity: Medium