One of our honeypots detected a URL spreading a botnet with a Monero miner bundled with a Perl-based backdoor component. The routine caught our attention as the techniques employed are almost the same as those used in the Outlaw hacking group’s previous operation.

During our analysis, we also observed the use of an executable Secure Shell (SSH) backdoor, and noted that the components are now installed as a service to provide persistence to the malware. The Perl-based backdoor component is also capable of launching distributed denial-of-service (DDoS) attacks, allowing the cybercriminals to monetize their botnet through cryptocurrency mining and by offering DDoS-for-hire services.

However, we think that the cybercriminals behind this threat may still be in the testing and development phase, based on the shell script components that were included in the TAR file but left unexecuted.

As of this writing, our telemetry has detected infection attempts in China.

Routine

Our data shows that the malware gains access to the system with brute-force attacks via SSH and executes two possible command files. Components of the file and routine appear similar to those of a published entry, while our sample executed .x15cache, the bash script that downloads the malware.

Figure 1. Targeted machine using brute force via SSH

The shell script downloads, extracts, and executes the miner payload. The extracted TAR file contains folders with scripts and the miner and backdoor components.

Figure 2. Extracting the miner payload and backdoor component

Figure 3. File tree of the extracted TAR file

Folder a contains the cron and anacron binaries, which are the cryptocurrency miners used by the malware. The other files are shell scripts responsible for the execution of the miner components, cleaning, and deletion of competing miners installed in the system. Folder b contains the backdoor components and shell scripts for running and stopping them.

One of the files, rsync, is an initially obfuscated Perl-based Shellbot capable of multiple backdoor commands such as file downloading, shell cmd execution, and DDoS.

Figure 4. Obfuscated Perl script

Figure 5. Code snippet of unobfuscated rsync

Another file, ps, is a Linux executable that serves as an SSH backdoor.

Figure 6. SSH backdoor

The file tree initially showed folder c from dota2[.]tar[.]gz file to be empty. It also contains several binaries and shell scripts, but only a few of those execute during the infection. From our honeypot sample, this may be an indication of the campaign’s being in the testing or development phase. We think that future iterations of this threat will use the unused files.

However, looking around the related URLs ps tries to connect to, we found mage[.]ignorelist[.]com containing a compressed file, dota[.]tar[.]gz. It contains the same file folders a and b as the TAR file downloaded by .x15cache, while folder c now contains the files tsm32 and tsm64, along with other executables and components.

Figure 7. Folder c

The files tsm32 and tsm64 appear to be scanners responsible for propagating the miner and backdoor via SSH brute force, and capable of sending remote commands to download and execute the malware.

Figure 8. tsm32

Figure 9. Remote commands sent by tsm32

The file, .satan is a shell script that installs the backdoor malware as a service. In Linux, files that start with a period are hidden.

Figure 10. .satan file

Conclusion

When we initially uncovered the operation of Outlaw in 2018, we noted how quickly it went from the testing and development phase to compromising more than 200,000 hosts around the world, including mobile devices. In this case, we were able to get samples indicating an attack in its early phase. Initially compromising and infecting systems enables it to widen its reconnaissance and scanning capabilities for more open ports on specific IP addresses, report to the command-and-control (C&C) server, and launch DDoS attacks like User Datagram Protocol (UDP) floods.

Also, the techniques employed here are common and widely known to be exchanged in the underground. Outlaw has made a name for itself by combining malicious cryptocurrency miners with a Perl-based backdoor able to turn its victim machines into a botnet in one DDoS-for-hire service. Given that Perl is installed in the machine, the use of Perl programming language for its backdoor ensures the malware flexibility to execute in both Linux- and Windows-based systems. And should the group decide to sell the code, the maintenance of the code would be easier to the buyer for more possible uses, adjustments, and execution.

We also noticed the presence of an APK file hosted in one of the servers, suggesting that if the cybercriminals decide to go further than just infecting servers, they may decide to attack Android-based devices.

Users are advised to close unused ports and to secure ports that are regularly open for system administrators’ support. Users can also adopt a multilayered security solution that can protect systems from the gateway to the endpoint, actively blocking malicious URLs by employing filtering, behavioral analysis, and custom sandboxing.

Trend Micro Solutions

Customers of the Trend Micro™ TippingPoint™ solution are protected from this threat via these MainlineDV filters:

2573: MINER - TCP (Request)

Indicators of Compromise (IoCs)

File name SHA256 Detection rsync 0d71a39bbd666b5898c7121be63310e9fbc15ba16ad388011f38676a14e27809 Backdoor.Perl.SHELLBOT.AB ps bb1c41a8b9df7535e66cf5be695e2d14e97096c4ddb2281ede49b5264de2df59 Backdoor.Linux.SSHDOOR.AB cron 4efec3c7b33fd857bf8ef38e767ac203167d842fdecbeee29e30e044f7c6e33d Coinminer.Linux.MALXMR.UWEJN anacron 66b79ebfe61b5baa5ed4effb2f459a865076acf889747dc82058ee24233411e2 tsm32 0191cf8ce2fbee0a69211826852338ff0ede2b5c65ae10a2b05dd34f675e3bae Trojan.Linux.SSHBRUTE.A tsm64 085d864f7f06f8f2eb840b32bdac7a9544153281ea563ef92623f3d0d6810e87

URLs

• 146[.]185[.]171[.]227:443

• C&C for Backdoor.Perl.SHELLBOT.AB - 5[.]255[.]86[.]129:3333

• C&C for Backdoor.Linux.SSHDOOR.AB - 54[.]37[.]70[.]249/.satan

• 54[.]37[.]70[.]249/rp

• hxxp://54[.]37[.]70[.]249/.x15cache

• hxxp://54[.]37[.]70[.]249/dota2.tar.gz

• hxxp://54[.]37[.]70[.]249/fiatlux-1.0.0.apk

• APK file hosted on this server - hxxp://mage[.]ignorelist[.]com/dota.tar.gz

• mage[.]ignorelist[.]com

• zergbase[.]mooo[.]com

