The Outlaw threat actor group is conducting a malware campaign targeting Linux systems in cryptocurrency mining attacks. The campaign uses a new version of Shellbot trojan which bridges a tunnel between an infected system and a C&C server operated by the attackers.
Researchers from JASK Special Ops described in a case study that the Shellbot is an IRC bot which is distributed through common command injection vulnerabilities. The researchers noted that the trojan targets vulnerable Linux servers as well as the Internet of Things (IoT) devices. However, it has the ability to infect Windows OS and Android devices as well.
Capabilities of Shellbot
The Shellbot trojan’s capabilities include,
Outlaw’s November attacks
In the November 2018 attacks, the Outlaw threat group was able to compromise an FTP server of a Japanese art organization and a government website of Bangladesh. The Outlaw group was also responsible for the attacks against multiple Linux servers belonging to a single, unnamed organization.
The infected servers received multiple payloads including IRC C2 botware, cryptomining malware, and the haiduc toolkit. The pool used to generate cryptocurrency, which is currently down, was hosted on a game server.
“This indicates that these campaign actors may have built their own mining pool infrastructure on this provider instead of using publicly available ones,” the researchers explained in the case study.
Shellbot is used to mine for Monero
The Outlaw threat actor group targets organizations through Denial-of-service (DoS) and SSH brute-force attacks. Once the servers of the targeted organizations are compromised, the threat group adds a botnet to strengthen its campaign. The botnet is detected as the new version of Shellbot trojan.
The botnet detected as Shellbot is now being used to monetize compromised servers for cryptomining.
“The Perl-based IRC (Internet Relay Chat) bot that was identified as a new version of Shellbot, lightly obfuscated using Perl’s pack routine. Once executed, it runs through unpack and eval functions and establishes a connection to a specified IRC channel, sez.strangled[.]net, for C2,” researchers from JASK explained.
Researchers further noted that the Shellbot trojan is evolving and the C2 server is still active. They also observed newly adapted payloads that craft specific mining tasks for different architectures and post exploitation worm-like behavior.