Cybersecurity experts have uncovered a self-spreading Linux botnet known as Outlaw (also called Dota), which is aggressively targeting servers with weak SSH credentials to deploy cryptojacking malware and maintain long-term access.
⚠️ What Is the Outlaw Group?
The Outlaw threat group, believed to originate from Romania, has been active since at least late 2018. This cybercriminal gang is notorious for launching SSH brute-force attacks on vulnerable Linux and Unix systems to install cryptocurrency miners and establish backdoors using persistent SSH keys.
🚨 Key Attack Techniques Used by Outlaw
According to a new report from Elastic Security Labs, the Outlaw malware combines brute-force attacks, worm-like propagation, and resource hijacking to turn compromised machines into crypto mining bots. Here's how the attack unfolds:
-
Initial Access via SSH Brute-Force: The malware targets servers running SSH with weak or default credentials.
-
Auto-Propagation Mechanism: A specialized module (dubbed BLITZ) scans and spreads across the network to infect more systems using botnet-style logic.
-
Dropper Script Execution: A shell script (
tddwrt7s.sh) is used to download and unpack a malicious archive (dota3.tar.gz), which deploys the miner and removes signs of previous infections. -
Persistence via SSH Key Injection & Cron Jobs: The attackers inject their own keys into the
authorized_keysfile and use cron-based jobs to maintain long-term access.
🧠Advanced Tactics & Exploits
Outlaw's evolving toolkit has also been observed exploiting critical Linux vulnerabilities, such as:
-
CVE-2016-8655 – A privilege escalation flaw in the Linux kernel.
-
CVE-2016-5195 (Dirty COW) – A high-profile kernel vulnerability allowing attackers to gain write access to read-only memory.
The malware also targets systems with weak Telnet credentials and uses SHELLBOT, a remote access Trojan that connects to a command-and-control (C2) server over IRC.
🧰 Capabilities of SHELLBOT:
-
Executes arbitrary shell commands
-
Launches DDoS attacks
-
Downloads additional payloads
-
Steals sensitive information and credentials
-
Maintains full remote control over infected systems
🧱 Resource Optimization for Mining
To maximize cryptomining performance, the malware:
-
Detects the infected system’s CPU
-
Enables HugePages for all cores to optimize memory usage
-
Deploys a modified XMRig miner
-
Uses a disguised binary (
kswap01) to maintain C2 communication
🛡️ Persistent Yet Simple
Despite relying on basic tactics—such as SSH brute-forcing, cron-based persistence, and publicly available scripts—Outlaw has managed to remain active and dangerous. Its use of IRC-based communication, XMRig-based miners, and clever defense evasion makes it a persistent threat in the Linux cryptojacking landscape.