Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective
Essential information
- Published
- 03/04/2025 22:07
- Modified
- 04/04/2025 07:26
- Tags
- 2025-04-03 blitz botnet brute-force cryptocurrency mining irc linux outlaw persistence ssh stealth shellbot worm xmrig
- Related entities
- 87 observables, 1 intrusion sets (apt), 11 techniques (mitre), 4 malware
Description
OUTLAW is a persistent Linux malware that uses basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence to maintain a long-lasting botnet. Despite its lack of sophistication, it remains active by leveraging simple but impactful tactics. The malware deploys modified XMRig miners, uses IRC for command and control, and includes publicly available scripts for persistence and defense evasion. OUTLAW's infection chain spans nearly the entire MITRE ATT&CK framework, offering many detection opportunities. It propagates in a worm-like manner, using compromised hosts to launch further SSH brute-force attacks on local subnets, rapidly expanding the botnet.