New Outlaw Linux Malware Leveraging SSH Brute-Forcing & Corn Jobs to Maintain Persistence

This malware has demonstrated remarkable longevity in the threat landscape by leveraging simple yet effective tactics such as SSH brute-forcing, strategic persistence mechanisms, and cryptocurrency mining operations to maintain a growing botnet of compromised Linux servers. Elastic security labs analysts noted that Outlaw demonstrates a comprehensive attack chain spanning nearly the entire MITRE ATT&CK framework, making it an excellent case study for detection engineering efforts. After compromising a host, the malware scans the local subnet for additional vulnerable systems, leveraging the newly infected machine to launch further SSH brute-force attacks, rapidly expanding its reach across networks. Outlaw has emerged as a persistent Linux malware that continues to infect systems worldwide despite its relatively unsophisticated techniques. The Outlaw malware demonstrates how threat actors can achieve widespread impact without relying on sophisticated techniques. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This package contains various components that ensure the malware can maintain control of the compromised system while evading detection. Its detection presents multiple opportunities for security teams, particularly through monitoring for suspicious SSH authentication attempts, unusual cron job creation, and unauthorized SSH key modifications. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The malware installs multiple cron jobs to ensure its components restart after system reboots or if they are terminated. Additionally, the malware removes and recreates the user’s ~/.ssh directory, injecting attacker-controlled SSH keys and applying immutable file attributes using chattr +ia to prevent administrators from removing them. The researchers captured the malware’s behavior through honeypot systems, observing both automated processes and occasional manual interaction from the threat actors. The malware’s initial access vector primarily relies on opportunistic SSH brute-force attacks against systems with weak or default credentials. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 02 Apr 2025 15:10:11 +0000