[tomek@vz]

Citiraj:

A persistent Linux malware known as “Outlaw” has been identified leveraging unsophisticated yet effective techniques to maintain a long-running botnet.


Outlaw follows a structured multi-stage infection process:

1. Initial Access: The malware gains entry through SSH brute-forcing, targeting systems with weak or default credentials. A component called “blitz” handles these brute-force attacks by retrieving target lists from a command-and-control (C2) server.
2. Payload Deployment: Once access is gained, the malware downloads and executes a package containing scripts and binaries. The primary dropper script, tddwrt7s.sh, initiates the infection chain by deploying components into hidden directories.
3. Persistence Mechanisms: Outlaw establishes persistence through cron jobs and SSH key manipulation. It injects attacker-controlled SSH keys into compromised systems while locking configuration files to prevent tampering.
4. Propagation: The malware acts as a worm, spreading laterally within local subnets by launching additional SSH brute-force attacks from infected hosts. This self-replication ensures rapid expansion of the botnet.

> gbhackers