After being silent for several months the Outlaw hacking group has reemerged with updated tools designed to steal information and hijack victims' computer power to mine for cryptocurrency.
According to a recent Trend Micro’s report, the threat group, first spotted in 2018, has began to infiltrate Linux- and Unix-based operating systems, vulnerable servers, and internet of things (IoT) devices by exploiting known vulnerabilities with available exploits. The group has been quiet since June last year, but Trend Micro said it detected an increase in Outlaw’s activity in December shifting from Chinese targets to the United States and Europe.
The researchers said Outlaw used a combination of pre-existing tools and new techniques to monitor for programs that could detect its malware. The updates include “expanded scanner parameters and targets, looped execution of files via error messages, improved evasion techniques for scanning activities, and improved mining profits by killing off both the competition and their own previous miners.”
In a new campaign the researchers observed the group using CVE-2016-8655 and Dirty COW exploit (CVE-2016-5195) as entry points to target devices as well as PHP-based web shells used to try and crack servers with weak SSH and Telnet credentials.
"It appears that they're going after enterprises who have yet to patch their systems, as well as companies with Internet-facing systems with weak to no monitoring of traffic and activities," the researchers said.
Samples analysed by the team indicate that apart from cryptojacking the group explores additional sources of income. More specifically, one of the discovered malware variants is focused on the theft of data from compromised servers, mainly from the automotive and finance industries. This information could be then sold for a profit the researchers said.
The findings suggest that enterprises could not be the sole interest of the group as the researchers have found traces of Android Package Kits- (APK-) and Android Debug Bridge (ADB)-based commands that enable cryptocurrency mining activities in Android-based TVs.
“Since discovering the operations of this group in 2018, Outlaw continues to use scripts, codes, and commands that have been previously used and deployed. These routines are indicative of the group’s aim to get quantitative returns through varied cybercriminal profit streams,” the researchers said.
Those interested in the technical aspect of the group’s activity can find the detailed analysis in the Trend Micro’s write-up.