{ "name": "Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective", "slug": "outlaw-linux-malware-persistent-unsophisticated-and-surprisingly-effective", "description": "OUTLAW is a persistent Linux malware that uses basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence to maintain a long-lasting botnet. Despite its lack of sophistication, it remains active by leveraging simple but impactful tactics. The malware deploys modified XMRig miners, uses IRC for command and control, and includes publicly available scripts for persistence and defense evasion. OUTLAW's infection chain spans nearly the entire MITRE ATT&CK framework, offering many detection opportunities. It propagates in a worm-like manner, using compromised hosts to launch further SSH brute-force attacks on local subnets, rapidly expanding the botnet.", "published": "2025-04-03T20:07:27+00:00", "created_at": "2025-04-03T20:07:27+00:00", "modified_at": "2025-04-04T05:26:33+00:00", "created_at_opencti": "2025-04-03T20:07:27+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-04-03", "blitz", "botnet", "brute-force", "cryptocurrency mining", "irc", "linux", "outlaw", "persistence", "ssh", "stealth shellbot", "worm", "xmrig" ], "related_entities": { "observables": [ { "id": "", "name": "80.79.125.90" }, { "id": "", "name": "5.180.174.50" }, { "id": "", "name": "216.70.68.24" }, { "id": "", "name": "38.153.121.114" }, { "id": "", "name": "195.3.223.76" }, { "id": "", "name": "194.195.87.185" }, { "id": "", "name": "193.86.16.40" }, { "id": "", "name": "185.31.200.33" }, { "id": "", "name": "185.196.9.59" }, { "id": "", "name": "185.196.8.139" }, { "id": "", "name": "185.140.12.250" }, { "id": "", "name": "179.43.180.83" }, { "id": "", "name": "179.43.180.82" }, { "id": "", "name": "179.43.139.85" }, { "id": "", "name": "179.43.139.86" }, { "id": "", "name": "179.43.139.84" }, { "id": "", "name": "161.97.155.235" }, { "id": "", "name": "162.62.119.8" }, { "id": "", "name": "157.245.129.95" }, { "id": "", "name": "146.190.154.178" }, { "id": "", "name": "151.80.60.214" }, { "id": "", "name": "138.201.127.36" }, { "id": "", "name": "137.110.133.146" }, { "id": "", "name": "138.197.212.204" }, { "id": "", "name": "135.181.139.72" }, { "id": "", "name": "109.172.88.16" }, { "id": "", "name": "104.237.145.240" }, { "id": "", "name": "104.254.92.82" }, { "id": "", "name": "87.106.232.3" }, { "id": "", "name": "67.205.134.224" }, { "id": "", "name": "51.77.42.80" }, { "id": "", "name": "5.75.193.141" }, { "id": "", "name": "46.101.121.35" }, { "id": "", "name": "37.139.10.109" }, { "id": "", "name": "217.160.20.207" }, { "id": "", "name": "213.165.82.144" }, { "id": "", "name": "207.244.252.98" }, { "id": "", "name": "198.199.109.204" }, { "id": "", "name": "179.43.139.83" }, { "id": "", "name": "178.128.19.209" }, { "id": "", "name": "167.172.213.233" }, { "id": "", "name": "150.128.97.41" }, { "id": "", "name": "149.202.87.176" }, { "id": "", "name": "104.194.151.101" }, { "id": "", "name": "185.247.224.154" }, { "id": "", "name": "185.165.169.188" }, { "id": "", "name": "212.234.225.29" }, { "id": "", "name": "51.222.157.209" }, { "id": "", "name": "45.136.17.53" }, { "id": "", "name": "23.95.88.161" }, { "id": "", "name": "192.227.87.87" }, { "id": "", "name": "208.109.214.175" }, { "id": "", "name": "208.109.39.41" }, { "id": "", "name": "91.107.150.117" }, { "id": "", "name": "51.161.82.138" }, { "id": "", "name": "159.203.59.241" }, { "id": "", "name": "85.190.254.87" }, { "id": "", "name": "69.176.201.30" }, { "id": "", "name": "37.252.7.2" }, { "id": "", "name": "37.27.199.65" }, { "id": "", "name": "5.196.88.152" }, { "id": "", "name": "5.189.140.128" }, { "id": "", "name": "23.97.216.213" }, { "id": "", "name": "188.68.222.164" }, { "id": "", "name": "62.169.20.214" }, { "id": "", "name": "213.199.46.247" }, { "id": "", "name": "171.22.31.23" }, { "id": "", "name": "138.68.140.83" }, { "id": "", "name": "68.183.221.93" }, { "id": "", "name": "161.35.212.49" }, { "id": "", "name": "157.230.127.232" }, { "id": "", "name": "161.35.72.143" }, { "id": "", "name": "161.35.180.46" }, { "id": "", "name": "51.79.68.96" }, { "id": "", "name": "161.35.231.77" }, { "id": "", "name": "161.35.198.197" }, { "id": "", "name": "161.35.212.32" }, { "id": "", "name": "159.223.105.130" }, { "id": "", "name": "185.217.131.229" }, { "id": "", "name": "45.175.75.254" }, { "id": "", "name": "152.32.202.213" }, { "id": "", "name": "134.209.42.7" }, { "id": "", "name": "e13c9eb1aa911b21615c7496f5c0f14e133d96d20e7d7f24e97e8519d50a17d1" }, { "id": "", "name": "5a3291a81d961053fcb5495973c5aa9755ae4b54a689947914489f7fb4fe7f71" }, { "id": "", "name": "5a0121f8dd9f391762c7f6dd525641000ed64f8a5669f14b67e56b387069d4fe" }, { "id": "", "name": "4cce28bb4390e1a653b09e9bf03aaf7867f00c3cd94b9d52f4775719112708c9" }, { "id": "", "name": "c3efbd6b5e512e36123f7b24da9d83f11fffaf3023d5677d37731ebaa959dd27" } ], "malware": [ { "id": "legacy:malware:6d199aca996a9a8b", "name": "BLITZ", "slug": "blitz" }, { "id": "legacy:malware:9c65cc08326b74db", "name": "OUTLAW", "slug": "outlaw" }, { "id": "legacy:malware:78eb7193e66710bf", "name": "STEALTH SHELLBOT", "slug": "stealth-shellbot" }, { "id": "legacy:malware:83adebc6ef4eb478", "name": "XMRig", "slug": "xmrig" } ], "intrusion_sets": [ { "id": "48d0c51d-807f-4751-bb39-ea85414d0c2e", "name": "OUTLAW", "slug": "outlaw" } ], "attack_patterns": [ { "id": "444de5e0-bd7f-4700-b700-26320057dd80", "name": "T1110" }, { "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee", "name": "T1571" }, { "id": "3245033a-53c4-454c-873a-fb653af0bf8a", "name": "T1552" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "6d618903-d9f6-4747-aec2-7630f43c1908", "name": "T1496" }, { "id": "820fbdf8-7db2-4292-9a60-7eed3567be8d", "name": "T1210" }, { "id": "41ad5d62-aa6a-47d6-a9a9-fb2209601099", "name": "T1098" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d", "name": "T1053" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ] }, "external_refs": [ "https://www.elastic.co/security-labs/outlaw-linux-malware", "https://otx.alienvault.com/pulse/67ef069f9224aa64d79e6a8e" ] }