• The botnet has two functionalities, one that mines for Monero and another that conducts brute force attacks.
  • The cryptominer can run on both Android and Linux systems.

The Outlaw threat group has been leveraging a multi-purpose botnet that allowed the APT group to cryptomine and conduct brute force attacks. While one code allows the botnet to mine for Monero, the second variant of the code allows the botnet to conduct brute force attacks and exploit RDP to escalate privileges.

The cryptominer can run on both Android and Linux systems. The miner is also capable of checking the system for whether any other miners were running on the system.

“Once the mining operation is established, the miner reports back to its owner through a compromised website that hosts a PHP script with a randomly generated name,” Trend Micro researchers said in a report. “The other part of the script takes care of bot propagation. It uses the haiduc tool, which we previously noted to be a tool that the Outlaw group primarily uses.”

The two haiduc variants have a never-before-seen purpose as well - to check targeted systems for the presence of either RDPs or cPanel. If the botnet finds either of the two platforms, which if exploited could allow attackers to escalate privileges, it saves the system for future exploitation. Both cPanel and RDPs are often used by SMBs (small and medium-sized businesses). A successful attack leveraging cPanel could allow attackers to hijack the entire cloud infrastructure.

According to Trend Micro researchers, Outlaw’s botnet is still evolving. The group uses well-known hacking tools, wrapped in bash scripts that allow even script kiddies to operate the tools. The group is also successful in hunting for new targets. The researchers found over 180,000 compromised systems and an additional 20,000 new compromised systems. These included websites, IoT devices, cloud-based private servers and more.

“First it seemed that the goal of the Outlaw group is to build an infrastructure capable of distributed denial of service (DDoS) against many known companies. Later, they have also facilitated brute forcing the SSH so they could grow the botnet further,” Trend Micro researchers added. “Then the cryptocurrency mining started, with the latest discovery described in this blog that RDP and cPanel brute-force are also in the scope of the group’s operation.”

Cyware Publisher