Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective

April 4, 2025, 7:26 a.m.

Description

OUTLAW is a persistent Linux malware that uses basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence to maintain a long-lasting botnet. Despite its lack of sophistication, it remains active by leveraging simple but impactful tactics. The malware deploys modified XMRig miners, uses IRC for command and control, and includes publicly available scripts for persistence and defense evasion. OUTLAW's infection chain spans nearly the entire MITRE ATT&CK framework, offering many detection opportunities. It propagates in a worm-like manner, using compromised hosts to launch further SSH brute-force attacks on local subnets, rapidly expanding the botnet.

External References

https://www.elastic.co/security-labs/outlaw-linux-malware
https://otx.alienvault.com/pulse/67ef069f9224aa64d79e6a8e
Tags
linux
xmrig
worm
persistence
botnet
irc
ssh
cryptocurrency mining
brute-force
2025-04-03
outlaw
stealth shellbot
blitz

Date

  • Created: April 3, 2025, 10:07 p.m.
  • Published: April 3, 2025, 10:07 p.m.
  • Modified: April 4, 2025, 7:26 a.m.

Indicators

  • e13c9eb1aa911b21615c7496f5c0f14e133d96d20e7d7f24e97e8519d50a17d1
  • 5a3291a81d961053fcb5495973c5aa9755ae4b54a689947914489f7fb4fe7f71
  • 5a0121f8dd9f391762c7f6dd525641000ed64f8a5669f14b67e56b387069d4fe
  • 4cce28bb4390e1a653b09e9bf03aaf7867f00c3cd94b9d52f4775719112708c9
  • c3efbd6b5e512e36123f7b24da9d83f11fffaf3023d5677d37731ebaa959dd27
  • 80.79.125.90
  • 5.180.174.50
  • 216.70.68.24
  • 38.153.121.114
  • 195.3.223.76
  • 194.195.87.185
  • 193.86.16.40
  • 185.31.200.33
  • 185.196.9.59
  • 185.196.8.139
  • 185.140.12.250
  • 179.43.180.83
  • 179.43.180.82
  • 179.43.139.85
  • 179.43.139.86
  • 179.43.139.84
  • 161.97.155.235
  • 162.62.119.8
  • 157.245.129.95
  • 146.190.154.178
  • 151.80.60.214
  • 138.201.127.36
  • 137.110.133.146
  • 138.197.212.204
  • 135.181.139.72
  • 109.172.88.16
  • 104.237.145.240
  • 104.254.92.82
  • 87.106.232.3
  • 67.205.134.224
  • 51.77.42.80
  • 5.75.193.141
  • 46.101.121.35
  • 37.139.10.109
  • 217.160.20.207
  • 213.165.82.144
  • 207.244.252.98
  • 198.199.109.204
  • 179.43.139.83
  • 178.128.19.209
  • 167.172.213.233
  • 150.128.97.41
  • 149.202.87.176
  • 104.194.151.101
  • 185.247.224.154
  • 185.165.169.188
  • 212.234.225.29
  • 51.222.157.209
  • 45.136.17.53
  • 23.95.88.161
  • 192.227.87.87
  • 208.109.214.175
  • 208.109.39.41
  • 91.107.150.117
  • 51.161.82.138
  • 159.203.59.241
  • 85.190.254.87
  • 69.176.201.30
  • 37.252.7.2
  • 37.27.199.65
  • 5.196.88.152
  • 5.189.140.128
  • 23.97.216.213
  • 188.68.222.164
  • 62.169.20.214
  • 213.199.46.247
  • 171.22.31.23
  • 138.68.140.83
  • 68.183.221.93
  • 161.35.212.49
  • 157.230.127.232
  • 161.35.72.143
  • 161.35.180.46
  • 51.79.68.96
  • 161.35.231.77
  • 161.35.198.197
  • 161.35.212.32
  • 159.223.105.130
  • 185.217.131.229
  • 45.175.75.254
  • 152.32.202.213
  • 134.209.42.7
Download all indicators here!

Attack Patterns

  • BLITZ
  • OUTLAW
  • STEALTH SHELLBOT
  • XMRig
  • OUTLAW