'Outlaw Hacking Group' Resurfaces

What Happened

In a recent digital forensic analysis activity that was conducted in February 2022 by CYE’s Critical Cyber Operations group, our team analyzed an image of a client’s suspicious Linux server that was reported to be sending brute force attacks worldwide. The team concluded that not only had the server indeed been breached, but they found a range of malicious tools including scripts and malware installed on it. Two highly active tools were designed for conducting crypto mining and SSH brute forcing additional servers.

Relying on the identified IOCs (SSH-key comment, malicious tools & script names, directory hierarchy) we can conclude that it is very similar to an attack that was conducted back in April 2020 by the “Outlaw Hacking Group”. The Outlaw Hacking Group was first spotted by TrendMicro in 2018 when the cybercriminals targeted the automotive and financial industries. This activity and attacker assets have led us to the belief that the attacker never stopped their activity rather they changed some IOCs. To the best of our knowledge, the malware they are using is changing frequently making it hard for conventional antiviruses to catch.

Although Outlaw is believed to be a financial actor attacking networks for Cryptocurrency harvesting, we are concerned they might do more than that if an opportunity presents itself. We assess that we discovered the incident at the beginning before any breached companies even noticed. And as before, they have attacked extensively in Europe. This is probably the case this time as well, but there is still no evidence from other companies. This attack was not targeted to this specific company but as part of a wider attack which is why it’s crucial to alert it. To our knowledge, “Outlaw” hasn’t been active since 2020, Some of the tools that he used this time around are new to him and they indicate a certain evolution in his conduct.

A Glance at the Details

In a recent investigation by CYE’s Critical Cyber Operations group, we have encountered renewed activities from this group, with some surprising changes in the detected Tactics, Techniques, and Procedures (TTP’s). The group has incorporated new tools and tactics in their attack that are worth mentioning with the use of XORDDOS tool first spotted by TrendMicro in 2020.

The investigation showed that the attacker was using two methods in order to gain persistence. First, their tools create init startup scripts and cron jobs, then they drop their SSH key into the “authorized_keys” file to be able to log in to the attacked machine even if the victim user changes their password. Moreover, the attacker has changed the root password for the server. One of the files that were downloaded contained tens of thousands of IP addresses for the SSH brute force to attack.

From our investigation, we conclude that the last successful log-in by the attacker to the server was from the following IP: 46.101.189.37. VirusTotal indeed shows that this IP is recognized as malicious by some engines.

Tactics, Techniques, and Procedures (TTPs) found in the investigation:

1. Root password change: By analyzing the timeline of the events that occurred after the server's breach, we saw that the attacker executed the built-in Linux tool for changing passwords “chpasswd” under the path “/usr/sbin/chpasswd”.
2. SSH backdoor: By analyzing the timeline of events that occurred after the server breach, we saw that the attacker executed the built-in Linux tool “mkdir” to create a directory. The directory that the attacker created is “/root/.ssh”, within this directory, the attacker created a new file by the name “authorized_keys”. This file’s content specifies the SSH keys that can be used for logging into the user account for which the file is configured; in our case, this is for the root user.
3. Cron jobs and Init startup scripts: We found that the attacker added an entry to the /etc/crontab file on our investigation of known persistence techniques. This file contains a list of commands that are meant to be run at specified times. The entry that the attacker added is scheduled to perform the execution of a malicious script /etc/cron.hourly/gcc.h every 3 minutes with root permissions. Further investigation at /etc/cron. The hourly directory revealed two more malicious scripts. The first script file name is poldgmggltssqz.sh and the second is zqkxeruogd.sh. By placing the scripts at the cron.hourly directory, the attacker gained hourly execution of their scripts: • The gcc.h script purpose is to execute the malicious ELF binary of the attacker located at /lib/libudev.so. • The poldgmggltssqz.sh script purpose is to execute malicious ELF binary located at /usr/bin/poldgmggltssqz • The zqkxeruogd.sh script purpose is to execute malicious ELF binary located at /usr/bin/zqkxeruogd. These three malicious ELF binary files are variants of the well-known XORDDOS Linux malware.
4. Crypto miner: From further investigation of the timeline, we saw that the attacker used the sftp-server tool installed on the server to download a tar.gz file that contains all his malicious tools and scripts. The file has been downloaded to a hidden directory within “/tmp/.X25-unix/dota3.tar.gz”. The attacker extracted all the files from the tar.gz to another hidden directory at “/tmp/.X25-unix/.rsync”, and then copied the files to another hidden directory at “/root/.configrc”. The attacker executed the init script from the “.rsync” directory. This script cleans the machine from other infections of these tools and then starts to change the cron jobs of the server; at the same time, the attacker executed the malicious ELF binary file “kswapd0” from the “.rsync/a” directory. This file appears to be a new variant of the Crypto miner tool that this attacker group uses.
5. SSH brute force: The SSH brute force tool is located at the /tmp/.X25-unix/.rsync/c/ directory. As explained in the previous section, this directory and its content were extracted from the dota3.tar.gz file. This script executed another script within the directory, the “tsm” script, that started the malicious ELF binary tsm64 SSH brute force tool and its shared object ELF “tsm” file located at “/tmp/.X25-unix/.rsync/c/lib/64/tsm”. One of its parameters is a text file that contains the list of IP addresses that will be attacked from that tool.

Suggested Actions

Generally, to mitigate the risk of threats like this, we recommend disabling the possibility to log in with credentials and allowing login only with SSH-key, locking out the possibility for root login from outside the company network and changing the default SSH port. In addition, we recommend always keeping the system up to date. To further lower the risk, it is recommended to conduct proactive measures such as a continued CTI effort to help identify and assess emerging threats and "Threat Hunting" operations within the organization.

Specifically for the Current Situation, we Recommend Implementing the Following Actions:

• Block the identified malicious IP 46.101.189.37 to block additional potential attempts by the attacker in the near future.

• Ingest the following IOC list into your security systems to detect other potentially breached machines within the organization.