14 DAY TRIAL // The botnet which was once a DoS-focused botnet targeting Windows, Linux, Android, and enterprise IoT devices created by the Outlaw group has recently been upgraded to also mine for Monero and to propagate using SSH brute-force attacks.
As initially discovered by the Trend Micro's Cyber Safety Solutions Team, this botnet was created by a Romanian threat group dubbed Outlaw which used the servers of a Japanese art institution and a Bangladeshi government website as command-and-control (C&C) servers.
The attacking bots who are part of the network will use a malicious tool named haiduc to scan for and attack systems vulnerable to the CVE-2017-1000117 command injection vulnerability.
Once it manages to compromise a host, the bot will automatically download a min.sh script which comes in two variants, each of them designed to use different attacks.
Outlaw's bots can kill and replace other crypto mining malware
The first version of the min.sh comes as a plain text Bash and Pel script designed to drop the Monero miner binary on Linux and Android devices and start mining for cryptocurrency.
However, the bot will also start looking around on the compromised machine for other mining malware running in the background, kill it on sight, and replace it with its own crypto mining binaries.
Despite mimicking the way some Mirai bot variants will hunt down other crypto mining malware, Outlaw's bot will not patch the hosts it compromises against future infections.
Once the mining process has started, the bot will switch into propagation mode using brute force to compromise machines running vulnerable SSH service installations.
Outlaw switched from an IRC-based control infrastructure to PHP-based C&C servers
The second variant of the bot will also scan for installations of cPanel and Remote Desktop Protocol (RDP), saving them automatically for future attacks.
Although the botnet was controlled using IRC bots when it was first spotted at the beginning of November, the threat group has upgraded the control method to a PHP-based control scheme.
Having acquired the capability to control their botnet using PHP allows the Outlaw threat group to easily add new modules to the bot as well as benefit from increased command-and-control (C&C) server infrastructure scalability.
As found out by Trend Micro, Outlaw currently controls more than 200,000 bots all across the world, with rooted Android devices, "IoT systems, various websites, cloud-based virtual private servers (VPS), compromised Windows servers" being a part of their botnet army.
A full list of Indicators of Compromise (IOCs) is available on Trend Micro's TrendLabs Security Intelligence Blog.