Outlaw IRC Botnet

Two new variants of the Outlaw hacking group’s botnet have been observed. The Outlaw botnet targets organisations worldwide and is based on the Shellbot remote access trojan. It uses a complex IRC-based command and control infrastructure to deliver different variants of the bot to devices depending on their configuration.

The first variant of the botnet is used for cryptocurrency mining and for further discovery of new devices. Once installed on a Linux or Android device, it will terminate competing mining applications before downloading the XMRig mining module. Certain versions of this variant can hijack mining applications or wallets that are already present on a device. It will also use the haiduc tool to scan for new devices and perform brute-force attacks against them to propagate.

The second variant is focused on Microsoft devices and uses a hard-coded list of servers with the libc.so.6 library to supply new targets for the botnet. haiduc is then used to locate them and deploy exploits to gain access to. It will then use Remote Desktop Protocol (RDP) and cPanel exploits to escalate its privileges, propagate internally and collect system information.

The botnet itself, which has been available on GitHub, had previously been spread through the Shellshock vulnerability. Trend’s research found that it is now spreading through previously brute-forced or compromised hosts

Affected Platforms:

  • Google Android – All versions
  • Linux Distributions
  • Microsoft Windows – All versions

Indicators of Compromise

[email protected][.]com
[email protected][.]de
[email protected][.]com
[email protected][.]de

67[.]205[.]129[.]169 – C&C server
167[.]114[.]54[.]15 – Infecting IP
hxxp://www[.]karaibe[.]us/[.]foo/min[.]sh
hxxp://bookaires[.]com/feed/min[.]sh
hxxp://67[.]205[.]129[.]169/[.]foo/min[.]sh
hxxp://www[.]karaibe[.]us/[.]foo/remote/info[.]php – lists IP addresses/ targets for the scanning
hxxp://www[.]karaibe[.]us/[.]foo/feed/feedp[.]php – lists tested credentials
hxxp://www.karaibe[.]us/[.]foo/feed/class[.]php – first two octets of an IP address to be scanned
hxxp://www[.]karaibe[.]us/[.]foo/nano[.]php

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: