Vulnerable SSH servers have been primarily targeted by the Outlaw Linux cryptocurrency mining botnet, also known as Dota, which could self-propagate through its BLITZ initial access component, The Hacker News reports.
Multi-stage attacks involving Outlaw, which is developed by a suspected Romanian threat operation under the same name, commence with SSH brute-forcing and proceed with dropper shell script distribution enabling the download of a miner-launching archive file that conceals previous compromise, according to an analysis from Elastic Security Labs. Misconfigured systems, including vulnerable Linux- and Unix-based systems impacted by the CVE-2016-8655 and CVE-2016-5195 flaws, have also been targeted by Outlaw in intrusions resulting in the deployment of SHELLBOT, which allows arbitrary shell command execution, distributed denial-of-service attacks, credential theft, and data exfiltration. "Outlaw remains active despite using basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence. The malware deploys modified XMRig miners, leverages IRC for C2, and includes publicly available scripts for persistence and defense evasion," said Elastic researchers.
