skip to Main Content

Cybercrime, a new crypto-botnet is targeting european organizations

Yoroi ZLab: Cybercrime is targeting european organizations with a new crypto-botnet. Is the work of the “Outlaw Hacking Group”, and the malware is a variant of “Shellbot” with new IRC server and Monero pools

A new crypto-botnet is targeting european organizations. It has been discovered by Yoroi ZLab cyber security experts. The researchers, during their monitoring activities, intercepted a singular Linux malware trying to penetrate the network of some of our customers. It is the well-known “Shellbot”, it is a crimetool belonging to the arsenal of a threat actor tracked as the “Outlaw Hacking Group.” The cybercrime gang was first spotted by TrendMicro in 2018 when it targeted automotive and financial industries. The Outlaw Botnet uses brute force and SSH exploit (exploit Shellshock Flaw and Drupalgeddon2 vulnerability) to achieve remote access to the target systems, including server and IoT devices. The main component of this malware implant is a variant of “Shellbot”, a Monero miner bundled with a Perl-based backdoor, which includes an IRC-based bot and an SSH scanner. It targets organizations worldwide with new IRC server and Monero pools.

How the infection chain works according to the cyber security experts

According to the cyber security experts, the infection chain starts with the hack of a Linux server, after a SSH brute-force attack. The Access Logs include requests coming from different source IP addresses with a delay of about 30 seconds from each other. Using this trick, the cybercrime bruteforce is able to bypass lockout login mechanisms such as Fail2Ban. Once the machine is fully compromised, the attacker will install a complete hacking suite, composed of an IRC bot, an SSH scanner, a bruteforce tool, and an XMRIG crypto-miner. All the malicious logic is opportunely managed by several bash or perl scripts. The Outlaw Botnet is still active and it is targeting organizations worldwide with new monero pools and different C2. The Command and Control IRC server is down at the time of writing, but the two C2 which provide the victim IPs list are still active. This means that, most probably, the gang will deploy a new IRC server leaving the rest of the infrastructure untouched. 

Back To Top