Outlaw Cryptocurrency Mining Botnet: The Rising Threat in Cybersecurity

Listen to this Post

Cryptocurrency mining has become a popular but dangerous avenue for cybercriminals, with botnets being a preferred method for hijacking systems to mine coins. Among the most notorious of these is the Outlaw botnet, also known as Dota, which continues to target weakly secured SSH servers to spread its infection. Active since late 2018, the Outlaw botnet utilizes multiple attack vectors to exploit Linux-based systems, including brute-force SSH attacks, cryptocurrency mining, and worm-like propagation. This article delves into the operations, techniques, and persistence of the Outlaw malware.

Overview of the Outlaw Botnet

The Outlaw botnet is a highly active and self-propagating malware that primarily targets Linux-based servers with weak SSH credentials. The botnet, which has been operating since at least late 2018, relies on SSH brute-force attacks to gain initial access to compromised systems. Once access is achieved, it maintains control by modifying SSH keys in the “authorized_keys” file, ensuring that the attackers can always re-enter the system.

The malware’s main goal is to hijack systems for cryptocurrency mining purposes, utilizing a mining software known as XMRig. However, the Outlaw botnet doesn’t stop there. It employs a multi-stage infection process that enables it to spread across networks. It leverages a dropper shell script (“tddwrt7s.sh”) to download and execute a malicious archive file (“dota3.tar.gz”) containing the mining software.

Outlaw’s self-propagation capabilities are particularly alarming. Through a component known as BLITZ, the malware scans for vulnerable SSH services, allowing it to spread like a worm to other machines. This feature turns the botnet into a constantly growing network of infected systems, each contributing to the mining efforts. To further its persistence, the malware ensures that it can maintain remote control by deploying SHELLBOT. This component enables attackers to execute arbitrary commands, steal credentials, and perform other malicious activities.

Moreover, Outlaw is not limited to only exploiting SSH vulnerabilities; it also targets older Linux systems vulnerable to known exploits like CVE-2016-8655 and CVE-2016-5195, commonly referred to as Dirty COW. The botnet can also target systems with weak Telnet credentials, expanding its reach.

Persistence and Defense Evasion Tactics

One of the most troubling aspects of Outlaw is its ability to remain active despite its reliance on relatively simple techniques. The botnet relies on SSH brute-forcing, key manipulation, and cron jobs to ensure it maintains control over compromised systems. These techniques allow it to evade detection and removal by administrators, ensuring that the attack continues unabated.

The Outlaw malware also employs a number of tactics to avoid detection and strengthen its foothold on infected systems. It uses a binary called “kswap01” to maintain communication with the botnet’s command-and-control infrastructure. This ensures that attackers can continue issuing commands to the compromised machines, such as running further payloads or launching DDoS attacks. Outlaw also steals sensitive information, like login credentials, and exfiltrates it to the attackers, furthering its malicious goals.

In addition to mining cryptocurrency, Outlaw’s flexible design allows it to perform a range of malicious activities, including launching DDoS attacks, executing arbitrary shell commands, and installing additional malware. Its ability to infect a wide variety of systems with weak security configurations makes it a persistent threat in the cyber landscape.

What Undercode Say:

The Outlaw botnet is an example of how cybercriminals are increasingly using automation to exploit weak system defenses and spread malware across networks. The botnet’s reliance on SSH brute-forcing and key manipulation highlights the importance of maintaining strong credentials and securing remote access protocols. Despite using simple techniques like SSH key manipulation and cron jobs, the Outlaw malware is capable of causing significant damage. Its ability to self-propagate and hijack systems for cryptocurrency mining underscores the growing trend of cryptojacking, where attackers exploit the computing power of compromised machines to mine digital currencies.

One of the most concerning aspects of Outlaw is its persistence. The botnet continues to operate with relative success, even though it relies on known vulnerabilities and relatively simple attack vectors. This highlights a critical flaw in the cybersecurity defenses of many systems—weak or reused credentials, outdated software, and poorly secured remote access services.

Another key takeaway from the Outlaw case is the importance of defense-in-depth strategies. While securing SSH keys and hardening access controls can mitigate many attacks, malware like Outlaw demonstrates the need for broader security measures, such as intrusion detection systems, regular vulnerability patching, and network segmentation. Additionally, its use of multi-stage infections and self-propagation means that detecting and removing the malware can be a lengthy process, particularly if proper monitoring and security protocols are not in place.

The rise of cryptocurrency mining botnets like Outlaw also points to a growing challenge in cybersecurity—how to protect against financially motivated attacks that can cause both direct and indirect damage. Cryptojacking might not immediately steal data or money, but it can significantly degrade system performance, increase energy consumption, and contribute to long-term hardware wear and tear.

Fact Checker Results

  • Outlaw’s SSH Brute-Force Attacks: Verified as a known method of entry for the botnet.
  • Exploitation of Known Vulnerabilities (Dirty COW): Confirmed; Outlaw targets systems with outdated Linux kernel vulnerabilities.
  • Cryptocurrency Mining: Accurate; Outlaw uses modified XMRig miners for cryptojacking activities.

References:

Reported By: https://thehackernews.com/2025/04/outlaw-group-uses-ssh-brute-force-to.html
Extra Source Hub:
https://stackoverflow.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image