Full Report
Cybersecurity researchers have shed light on an "auto-propagating" cryptocurrency mining botnet called Outlaw (aka Dota) that's known for targeting SSH servers with weak credentials. "Outlaw is a Linux malware that relies on SSH brute-force attacks, cryptocurrency mining, and worm-like propagation to infect and maintain control over systems," Elastic Security Labs said in a new analysis
Analysis Summary
# Tool/Technique: Outlaw (Dota) Cryptojacking Malware
## Overview
Outlaw (also known as Dota) is a Linux-based malware family primarily used for cryptojacking operations. It is known for its auto-propagating, worm-like capabilities. The threat actors associated with this malware are also referred to as Outlaw, believed to be of Romanian origin, and have been active since at least late 2018. The primary initial access vector involves brute-forcing SSH credentials.
## Technical Details
- Type: Malware family
- Platform: Linux/UNIX-based operating systems
- Capabilities: SSH brute-forcing, initial access via exploits (CVE-2016-8655, CVE-2016-5195/Dirty COW), self-propagation (worm-like behavior), cryptocurrency mining, persistence via SSH key injection, deployment of SHELLBOT for C2 control.
- First Seen: At least late 2018
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access**
* T1110 - Brute Force
* T1110.003 - Password Guessing: Network Service
* **TA0003 - Persistence**
* T1556 - Authentication Evasion (Inferred via SSH key dropping)
* **TA0007 - Discovery**
* T1595 - Active Scanning
* T1595.002 - Internet Service Scanning (Related to SSH scanning for propagation)
* **TA0011 - Command and Control**
* T1071 - Application Layer Protocol (Relevant to C2 communication, potentially IRC via SHELLBOT)
* **TA0005 - Defense Evasion**
* T1070 - Indicator Removal on Host (Killing previous miners/traces of compromise)
## Functionality
### Core Capabilities
- **Initial Access:** Executes brute-force attacks against SSH services, often targeting systems with weak credentials. Some variants leverage exploits like CVE-2016-8655 and CVE-2016-5195 (Dirty COW).
- **Infection Chain:** Uses a dropper shell script (e.g., "tddwrt7s.sh") to download and unpack an archive ("dota3.tar.gz") to load the main malware components.
- **Cryptocurrency Mining:** Deploys miners to utilize compromised host CPU resources for cryptocurrency generation.
- **Self-Propagation (BLITZ Component):** Scans the internet for vulnerable systems running SSH to spread autonomously like a worm.
### Advanced Features
- **Persistence via SSH Keys:** Adds the attacker's own SSH key to the victim's `authorized_keys` file to ensure persistent access.
- **Competition Removal:** Actively kills processes related to other cryptocurrency miners (both competitors' and its own older versions) to maximize resource utilization.
- **C2 Integration (SHELLBOT):** Deploys SHELLBOT for remote management, enabling arbitrary command execution, downloading secondary payloads, launching DDoS attacks, credential theft, and data exfiltration.
- **C2 Target List Fetching:** The brute-force module downloads target lists from a C2 server to automate the next wave of attacks.
## Indicators of Compromise
- File Hashes: Not explicitly provided in the text.
- File Names: `tddwrt7s.sh` (dropper script), `dota3.tar.gz` (archive payload).
- Registry Keys: N/A (Linux malware).
- Network Indicators: Command-and-control (C2) servers used to supply target lists and receive SHELLBOT communications (IRC channel noted). (Specific IPs/domains are defanged as none were provided).
- Behavioral Indicators: SSH brute-forcing activity, presence of new, unauthorized SSH keys in `~/.ssh/authorized_keys`, child processes deploying cryptocurrency mining utilities, attempts to terminate other mining executables.
## Associated Threat Actors
- Outlaw Group (aka Dota Threat Actors)
## Detection Methods
- Signature-based detection: Signatures targeting the known filenames (`tddwrt7s.sh`, `dota3.tar.gz`).
- Behavioral detection: Monitoring for brute-force attempts on SSH, unauthorized modification of SSH configuration files (`authorized_keys`), and processes associated with cryptojacking activity.
- YARA rules: Not explicitly provided in the text.
## Mitigation Strategies
- **Strong Credentials:** Enforce strong, unique passwords for all SSH and Telnet services.
- **Disable/Secure Remote Access:** Restrict SSH access only to necessary IP addresses using firewall rules. Consider disabling Telnet entirely.
- **Patching:** Ensure Linux/Unix kernels are patched against known vulnerabilities, specifically CVE-2016-8655 and CVE-2016-5195 (Dirty COW).
- **Key Management:** Regularly audit `~/.ssh/authorized_keys` files for unauthorized public keys.
- **Process Monitoring:** Monitor system processes for unrecognized mining operations and attempts to kill existing processes.
## Related Tools/Techniques
- SHELLBOT (used by Outlaw for post-exploitation control)
- BLITZ (The self-propagation module of Outlaw)
- Other Cryptojacking Botnets: 8220, Keksec (Kek Security), Kinsing, TeamTNT.