A previously documented threat actor known as Outlaw (or “Dota”) has resurfaced with an enhanced malware toolkit targeting Linux servers globally, according to a recent incident response investigation by Securelist analysts.

The group, active since at least 2018, has shifted focus to cryptographic mining and botnet propagation, exploiting weak SSH credentials to infiltrate systems in Brazil, the U.S., Germany, Italy, and Southeast Asia.

This latest campaign leverages Perl-based backdoors, modified XMRig miners, and IRC botnet clients to maintain persistence and evade detection while monopolizing victim resources.

The malware’s initial access vector remains consistent with historical Outlaw activity: brute-force attacks against SSH services using default or easily guessable credentials.

Once inside, attackers deploy a multi-stage payload beginning with a shell script (tddwrt7s.sh) that fetches and decompresses a malicious archive (dota.tar.gz).

This artifact creates a hidden directory (.configrc5) housing components for process manipulation, cryptocurrency mining, and command-and-control (C2) communication.

Securelist researchers noted the malware’s sophistication lies in its layered obfuscation, resource hijacking, and anti-forensic measures, including the systematic elimination of competing cryptominers on infected hosts.

Infection Mechanism: SSH Compromise and Payload Execution

The breach begins with attackers establishing SSH access using compromised credentials, often targeting accounts like suporte (Portuguese for “support”) with weak passwords.

Upon successful login, the threat actor executes a sequence of commands to download and unpack the primary payload.

This script retrieves a UPX-packed XMRig miner (kswapd0) and an obfuscated Perl IRC botnet client.

The .configrc5 directory structure includes subdirectories for payload execution (a/), persistence scripts (b/), and Tor proxies to mask mining pool communications.

Of particular note is the a /init0 script, which performs reconnaissance to identify and kill rival miners like tsmrsync, and blitz using grep and kill -9 commands.

Persistence is achieved through SSH key manipulation and cron job injection. Attackers replace the victim’s .ssh /authorized_keys file with their own public key, ensuring repeated access even if credentials change.

The b/run script embeds a Base64-encoded Perl backdoor that deobfuscates to an IRC client masquerading as rsync. This client connects to C2 servers over port 443, enabling remote command execution, DDoS attacks, and lateral movement via SSH.

Securelist’s analysis revealed the malware’s adaptability, with recent samples incorporating Tor-based mining pools and process whitelisting to avoid disrupting its own operations.

While XMRig configurations default to CPU mining, the modular nature of the toolkit suggests potential expansion to GPU-based attacks.

The combination of credential brute-forcing, multi-layered payloads, and anti-detection routines positions Outlaw as a persistent threat to inadequately secured Linux environments.

Mitigation strategies emphasize SSH hardening, including disabling password authentication, enforcing firewall rate limits, and monitoring for unauthorized .ssh directory modifications.

Securelist advocates for tools like Fail2Ban paired with stringent sshd_config policies to disrupt Outlaw’s primary infiltration vector.

Stay updated with SOC News for cutting-edge security innovations and expert industry insights! 

Source: https://cybersecuritynews.com/outlaw-cybergang-attacking-linux-environments/