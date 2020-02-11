Hijacked botnet: someone is working on the Phorpiex malware

Someone removes Phorpiex malware from infected PCs and asks users to install an antivirus

The Outlaw hack group has quietly returned after months with an improved tool set designed for data theft and for looting corporate resources in the search for cryptocurrency.

Outlaw, spotted for the first time in 2018, is a threat group that was in the test and malware development phase last year.

In June 2019, Trend Micro researchers said that non-executed, malicious commands and clues in shell script components of a botnet developed by the cyber attacks indicated that Chinese victims were likely guinea pigs for botnet-based cryptocurrency mining campaigns.

Also see: Outlaw hackers return with cryptocurrency mining botnet

The botnet is equipped with a Monero (XMR) miner and after a period of inactivity is now enhanced with improvements, including the ability to find and eradicate existing cryptocurrency miners on infected systems.

Trend Micro noted an increase in activity in December, with attacks being moved from the Chinese testing ground to the US and Europe, the cyber security company said Monday in a blog post.

According to the team, other upgrades have also taken place, including “extensive scanner parameters and targets, loop execution of files via error messages, improved avoidance techniques for scanning activities and improved mining profits by killing both the competition and their own previous miners.”

CNET: Foreign hackers are targeting more US government agencies, the report said

Outlaw focuses on Linux and Unix-based operating systems, Internet of Things (IoT) devices and vulnerable corporate servers.

Currently, Outlaw is investigating CVE-2016-8655 and the Dirty COW exploit (CVE-2016-5195) as potential access ports for exploit kits, in addition to PHP-based webshells that were used to crack servers with poor SSH and Telnet credentials. These vulnerabilities are years old, and so focusing on them may indicate that Outlaw wants to stay under the radar by focusing on servers with virtually no security or patching processes.

“It seems that they are chasing after companies that still have to patch their systems, as well as companies with internet-oriented systems with little to no traffic and activity monitoring,” the researchers say.

TechRepublic: Deployment of Kubernetes: 5 best practices for security

Samples obtained by the team suggest that cryptocurrency-mining is not the only way for illegal income that Outlaw is investigating. In addition, malware has been found that focuses on the theft of data from compromised servers, primarily focused on the automotive and financial sectors. This information may then be resold at a profit.

Enterprise servers may not be the only new goals that Outlaw is investigating. The researchers also found evidence of Android APKs and Android Debug Bridge (ADB) commands that can be used to force Android-based smart televisions to mine cryptocurrency.

Previous and related coverage

Do you have a tip? Contact us securely via WhatsApp | Signal on +447713 025 499 or higher on Keybase: charlie0