The Outlaw malware campaign, active since at least 2018, continues to pose a significant threat to Linux servers by employing straightforward yet effective tactics such as SSH brute-forcing and cryptocurrency mining. Despite lacking sophisticated evasion techniques, Outlaw’s persistence and adaptability have enabled it to maintain a long-standing presence in the cybersecurity landscape.
Infection Chain and Propagation
1. Initial Access via SSH Brute-Forcing
Outlaw initiates its attack by targeting Linux systems with weak or default SSH credentials. Utilizing a custom brute-force module known as “blitz,” the malware systematically attempts to gain unauthorized access. Once successful, it establishes a foothold on the compromised system. This method is reminiscent of other malware such as Xor DDoS and Remaiten, which also exploit weak SSH credentials for initial access.
2. Payload Deployment and Persistence Mechanisms
Upon gaining access, Outlaw downloads and executes a package containing various scripts and binaries. The primary dropper script initiates the infection chain by deploying components into hidden directories, such as ~/.configrc6. To ensure persistence, the malware installs cron jobs that facilitate regular execution of its components, even after system reboots. This technique is commonly observed in Linux malware to maintain long-term control over infected systems.
3. Cryptocurrency Mining and Command-and-Control Communication
Outlaw deploys a customized version of XMRig, a popular open-source cryptocurrency miner, to exploit the infected server’s resources for mining Monero. Additionally, it establishes communication with command-and-control (C2) servers using IRC-based channels, employing variants of ShellBot for remote command execution. The use of IRC for C2 communication is a tactic shared by other malware families, including those documented in Linux malware research.
4. Worm-Like Propagation
The malware exhibits worm-like behavior by scanning local subnets and external IPs from the compromised host, seeking additional systems with vulnerable SSH services. This self-propagation mechanism allows Outlaw to expand its botnet with minimal attacker intervention, a strategy also employed by malware such as Xor DDoS.
Factors Contributing to Outlaw’s Effectiveness
Outlaw’s success can be attributed to several factors:
- Simplicity and Automation: By leveraging basic attack methods and automating its processes, Outlaw achieves widespread impact without the need for complex techniques.
- Resilience: The malware employs cron jobs and built-in mechanisms to restart its components if terminated, ensuring continued operation.
- Extensive Attack Surface: Outlaw’s activities span multiple stages of the MITRE ATT&CK framework, providing numerous opportunities for detection and analysis.
Indicators of Human Involvement
Research indicates that Outlaw’s operations involve real-time human interaction. Analysts have observed manual command inputs, corrections of typographical errors, and on-the-fly script modifications, suggesting active management by threat actors. This level of involvement is indicative of a hands-on approach to malware deployment and management.
Defensive Recommendations
To mitigate the risk posed by Outlaw, system administrators should implement the following measures:
- Enforce Strong SSH Credentials: Utilize robust, unique passwords and consider disabling password authentication in favor of key-based authentication.
- Monitor for Unauthorized Cron Jobs and Hidden Directories: Regularly inspect cron schedules and file systems for unexpected entries or concealed directories like
~/.configrc6. - Detect Known Malware Variants: Conduct routine scans for signatures associated with XMRig and ShellBot to identify potential infections.
- Restrict Network Communications: Implement network segmentation and limit outbound connections to IRC channels and known mining pools to hinder C2 communications and resource exploitation.
- Deploy Intrusion Prevention Tools: Utilize tools such as DenyHosts to prevent brute-force attacks by monitoring and blocking suspicious SSH login attempts.
Conclusion
The enduring presence of the Outlaw malware underscores the potential impact of basic yet well-executed cyber threats.Organizations utilizing Linux infrastructure must remain vigilant, adopting proactive security measures to detect and prevent such infections before they can establish a foothold. By understanding the tactics employed by threats like Outlaw and implementing robust defensive strategies, system administrators can better protect their environments from compromise.
