Outlawed hackers used the Shellbot trojan variant for target organizations
Trend Micro security researchers have published a report on a new botnet malware distributed by the so-called hacking group Outlaw, which previously compromised the FTP servers of a Japanese art institution and the Bangladesh government website. The main objective of the threat actors is to expand the botnet and manage it as a network scan and crypto-mining utility. The group uses haiduc, a hacking tool used by cybercriminals to scan the Internet for vulnerable servers.
Experts have observed Shellbot based on Perl that addressed a variety of organizations and exploited a Common Command injection vulnerability on Linux servers and IoT gadgets, even if devices based on Android and Windows were also affected. The malware used the Internet Relay Chat (IRC) protocol to communicate with the command and control servers controlled by hackers.
Initially, the Outlaw group used the infrastructure built to execute DDoS attacks on the targets of criminals. However, features have evolved with ugly actors adding brute-force functionality, as well as a crypto mining operation. The threat is recognized as Coinminer.SH.MALXMR.ATNJ by Trend Micro.
According to the researchers, the new botnet has already hit over 180,000 hosts and 20,000 new compromised hosts, including IoT devices, Windows and cloud-based servers and thousands of websites.
Advanced coin extraction and exploitation of RDP and cPanel of cloud administration
According to the research, two different activities have been identified by the malware. The first version has two features:
- Droppers based on Haiduc
- The miner of coins
The coin-mining script is able to avoid detection by continuous scanning of IPS and firewalls. It also consists of two parts: bash text / Perl script and obfuscated Perl script.
Before the malware starts the coin-mining process, it checks the system regardless of whether other mining scripts are running or not. If such operations are detected, they are killed and Outlaw and restarted with their own tracks. It means that the bot is able to hijack all the coin-mining processes on the system. Hence, malicious scripts are downloaded to run a Monero cryptocurrency mining process, which can affect both Android and Linux devices.
As soon as the encryption process is established, the bot reports to hackers via the website using a random name and a PHP script.
The haiduc based dropper is responsible for the bot proliferation. Take advantage of SSH service host to launch brute-force attacks. Once successful, the bot sends an e-mail to the botnet administrator by commanding the PHP script instead of using IRC. In addition, it exploits the RDP environment and the cPanel cloud administration even more and offers administrative privileges.
The ever-changing threat
Considering that the previous malware variants were found less than a month ago, and with new releases, Outlaw's botnet is evolving. It has acquired PHP functionality that is far superior to IRC-based communication, increasing the effectiveness of C & C servers.
Initially, Outlaw's botnet was created for DDoS attacks against high-profile organizations. However, new features added, such as brute-forcing extraction and cryptocurrency, have allowed threat actors to develop sophisticated malware that can circumvent security measures and spread rapidly.
However, users should use comprehensive security solutions to protect themselves from Outlaw's cyber attacks.