New Outlaw Linux Malware Using SSH brute-forcing To Maintain Botnet Activities for long Time

A persistent Linux malware known as “Outlaw” has been identified leveraging unsophisticated yet effective techniques to maintain a long-running botnet.

Despite its lack of advanced evasion mechanisms, Outlaw continues to propagate and monetize its activities by employing SSH brute-forcing, cron-based persistence, and modified cryptocurrency miners.

Its modular design and worm-like propagation allow it to infect systems with minimal attacker intervention.

Researchers deployed honeypots mimicking vulnerable systems to analyze Outlaw’s behavior.

The results revealed a mix of automated and manual interactions, including command execution and occasional typographical errors, indicating direct human involvement in maintaining the botnet.

Infection Chain and Propagation

Outlaw follows a structured multi-stage infection process:

1. Initial Access: The malware gains entry through SSH brute-forcing, targeting systems with weak or default credentials. A component called “blitz” handles these brute-force attacks by retrieving target lists from a command-and-control (C2) server.
2. Payload Deployment: Once access is gained, the malware downloads and executes a package containing scripts and binaries. The primary dropper script, tddwrt7s.sh, initiates the infection chain by deploying components into hidden directories.
3. Persistence Mechanisms: Outlaw establishes persistence through cron jobs and SSH key manipulation. It injects attacker-controlled SSH keys into compromised systems while locking configuration files to prevent tampering.
4. Propagation: The malware acts as a worm, spreading laterally within local subnets by launching additional SSH brute-force attacks from infected hosts. This self-replication ensures rapid expansion of the botnet.

Malware Components

Outlaw utilizes several components to sustain its operations:

• XMRig Miner: A modified version of the XMRig cryptocurrency miner is embedded for Monero mining. It optimizes CPU performance by enabling hugepages and modifying kernel parameters.
• STEALTH SHELLBOT: This IRC-based backdoor facilitates remote control of infected systems, allowing attackers to execute commands or deploy additional payloads.
• BLITZ Brute-Forcer: A custom-built tool that automates SSH brute-forcing and malware deployment. It retrieves target credentials from the C2 server and transfers malicious packages directly from one infected host to another.
• kswapd01 & kswapd0: These binaries ensure continuous communication with the C2 infrastructure while managing mining processes.

According to the Report, the simplicity of Outlaw’s design belies its effectiveness.

By relying on publicly available tools and straightforward techniques, it avoids detection by traditional security measures.

However, its predictable behavior, such as SSH brute-forcing, cron job creation, and mining optimization, offers defenders opportunities for detection through SIEM rules and endpoint monitoring.

A notable finding from honeypot experiments was the occasional manual interaction by attackers, suggesting periodic quality checks to ensure successful infections.

Outlaw demonstrates how even rudimentary malware can sustain long-term botnet operations through persistence and aggressive propagation tactics.

Its reliance on basic techniques underscores the importance of robust system configurations, such as disabling weak credentials and monitoring for unusual SSH activity.

By understanding Outlaw’s methods, security teams can develop targeted detection strategies to mitigate its impact on Linux environments.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!