The Outlaw group has reportedly been using a sophisticated version of Shellbot to conduct attacks on Linux systems to mine privacy-centric coin, Monero (XMR). Shellbot is a Trojan that enables hackers to control infected systems through the use of a command-and-control server (C2).
Researchers at Jask Special Ops have been investigating the attacks in which control of infrastructure is seized allowing hackers to engage in illegal XMR mining. Personal and system data is stolen, tasks and processes are controlled, and command line shells can be remotely opened. Trend Micro says that the first of these IRC bots appeared in November 2018 and are the work of the Outlaw group.
The researchers pointed out that Shellbot has the ability to infect Windows systems and Android devices but instances of that occurring are very rare. The initial attacks in November compromised FTP servers at a Japanese art organization and a Bangladeshi government website. Jask concluded that a third attack broke into several Linux servers belonging to a single entity. In each case, the systems were infected with IRC C2 botware along with the haiduc SSH scan and network propagation kit. The systems also received a cryptomining malware script that uses illegally gained server resources which enable it to mine for XMR.
Organizations are targeted through denial-of-service (DoS) and brute-force methods. Compromised servers strengthen the Outlaw group’s botnet allowing them to continue their attacks. Jask Special Ops claims the current botnet is monetizing compromised systems by using distributed denial-of-service (DDoS) along with illicit cryptomining. The Outlaw group’s network propagation toolkit is reportedly using a Perl-based IRC bot for the purposes of obfuscation.
After investigating the received payloads, Jask Special Ops believes the configuration of the mining pool related to the latest attacks is a VPS provider in the Netherlands. This VPS provider hosts several gaming servers which Jask takes as a sign that the perpetrators of these attacks may have constructed their own cryptomining infrastructure on this VPS provider as opposed to using providers that are publicly available.
Jask speculates that the Outlaw group’s motivation for the attacks is similar to that of other groups that target exposed Linux servers: “Broad propagation and revenue generation through illicit cryptomining on abused infrastructure.” One of the reasons Monero mining appeals to hackers is because they can gain access to such a large volume of computers. XMR can be used to purchase goods and services that are available on the cryptomarket.
Jask’s mission is to reduce organizational risk and increase human efficiency by using technology consolidation, enhanced artificial intelligence, and machine learning. The company’s Autonomous Security Operations Center (ASOC) assists SOC analysts with focusing on threats, streamlining their investigations, and delivering quicker response times. Jask ASOC identified signs of post-infection behavior from the Linux devices that were infected. They are certain that compromised credentials through brute force or credential stuffing allowed hackers to access the victims’ infrastructure.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.