FOCUS MODE
EXTRACT IOC
Threat Research

Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective — Elastic Security Labs

Securonix
Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective — Elastic Security Labs
OUTLAW is a persistent, auto-propagating coinminer that utilizes simple techniques such as SSH brute-forcing and modification of commodity miners for infection and persistence. By deploying a honeypot, researchers gained insights into how OUTLAW operates, revealing the malware’s ability to maintain control and expand its botnet with basic tactics. Affected: Linux systems, cryptocurrency mining environments

Keypoints :

  • OUTLAW is persistent and utilizes unsophisticated attack methods.
  • Employs SSH brute-forcing and cron jobs for persistence.
  • Utilizes modified XMRig miners and IRC for command and control.
  • Exploits weak credentials to propagate through networks.
  • Malware performs both automated and manual actions.
  • Honeypot experiment provided real-time insights into attacker behavior.
  • Detection strategies can be derived from OUTLAW’s predictable behaviors.

MITRE Techniques :

  • TA001 – Initial Access: Uses SSH brute-forcing (Component: blitz) to gain entry to systems.
  • TA002 – Execution: Runs dropper scripts to kick off malware installations (Scripts: tddwrt7s.sh, initall).
  • TA003 – Persistence: Establishes cron jobs and manipulates SSH keys for long-term control.
  • TA005 – Defense Evasion: Uses hidden directories and modifies permissions to avoid detection.
  • TA006 – Credential Access: Changes SSH keys and user passwords post-compromise.
  • TA007 – Discovery: Enumerates system details for environment profiling (Commands used).
  • TA008 – Lateral Movement: Scans local networks for additional targets and propagates through SSH attacks.
  • TA010 – Exfiltration: Collects data and transmits it back to C2 servers.
  • TA011 – Command and Control: Maintains communication using socat and IRC techniques.
  • TA040 – Impact: Mines cryptocurrency with the XMRig miner.

Indicator of Compromise :

  • [Domain] 212.234.225[.]29
  • [Hash] c3efbd6b5e512e36123f7b24da9d83f11fffaf3023d5677d37731ebaa959dd27
  • [File Path] /home/eax/up
  • [File Path] /var/tmp/dota
  • [File Path] /dev/shm/ip

Full Story: https://www.elastic.co/security-labs/outlaw-linux-malware

Views: 19

Tags: RECONNAISSANCE, EXFILTRATION, DEFENSE EVASION, SIEM, MONITOR, PERSISTENCE, TOOL, INITIAL ACCESS