A previously documented threat actor known as Outlaw (or “Dota”) has resurfaced with an enhanced malware toolkit targeting Linux servers globally, according to a recent incident response investigation by Securelist analysts. The malware’s initial access vector remains consistent with historical Outlaw activity: brute-force attacks against SSH services using default or easily guessable credentials. The group, active since at least 2018, has shifted focus to cryptographic mining and botnet propagation, exploiting weak SSH credentials to infiltrate systems in Brazil, the U.S., Germany, Italy, and Southeast Asia. The .configrc5 directory structure includes subdirectories for payload execution (a/), persistence scripts (b/), and Tor proxies to mask mining pool communications. This latest campaign leverages Perl-based backdoors, modified XMRig miners, and IRC botnet clients to maintain persistence and evade detection while monopolizing victim resources. The breach begins with attackers establishing SSH access using compromised credentials, often targeting accounts like suporte (Portuguese for “support”) with weak passwords. Securelist’s analysis revealed the malware’s adaptability, with recent samples incorporating Tor-based mining pools and process whitelisting to avoid disrupting its own operations. Securelist researchers noted the malware’s sophistication lies in its layered obfuscation, resource hijacking, and anti-forensic measures, including the systematic elimination of competing cryptominers on infected hosts. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Of particular note is the a /init0 script, which performs reconnaissance to identify and kill rival miners like tsm, rsync, and blitz using grep and kill -9 commands. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This artifact creates a hidden directory (.configrc5) housing components for process manipulation, cryptocurrency mining, and command-and-control (C2) communication. While XMRig configurations default to CPU mining, the modular nature of the toolkit suggests potential expansion to GPU-based attacks. This script retrieves a UPX-packed XMRig miner (kswapd0) and an obfuscated Perl IRC botnet client. The combination of credential brute-forcing, multi-layered payloads, and anti-detection routines positions Outlaw as a persistent threat to inadequately secured Linux environments. Mitigation strategies emphasize SSH hardening, including disabling password authentication, enforcing firewall rate limits, and monitoring for unauthorized .ssh directory modifications. This client connects to C2 servers over port 443, enabling remote command execution, DDoS attacks, and lateral movement via SSH. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Upon successful login, the threat actor executes a sequence of commands to download and unpack the primary payload. Attackers replace the victim’s .ssh /authorized_keys file with their own public key, ensuring repeated access even if credentials change. The b/run script embeds a Base64-encoded Perl backdoor that deobfuscates to an IRC client masquerading as rsync. Securelist advocates for tools like Fail2Ban paired with stringent sshd_config policies to disrupt Outlaw’s primary infiltration vector.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 30 Apr 2025 13:05:06 +0000