Outlaw: Researchers from Trend Micro have identified that after a few months of silence, the Outlaw crypto-mining group has returned. The group was last seen in June 2019, when they were using a similar toolkit to carry out attacks. In December, the group’s activities resumed, using an updated toolkit. The update to the kit expanded the scanner parameters and targets, looped execution of files via error messages, improved evasion techniques for scanning activities, and improved mining profits by killing off both the competition and their previous miners if they were found on the victim’s network. The kits that researchers were able to analyze appeared to be aimed at the finance and automotive industries, designed to steal information and launch subsequent attacks on already compromised systems. Based on these samples and the previous campaigns by the group, it is believed that Outlaw is aiming attacks at organizations that have security weaknesses due to their failure to update and patch their systems. The new malware version targets Linux and Unix servers, as well as Internet-of-Things (IoT) devices. The group is focused on entities within the United States and Europe.
Analyst Notes
The previous kit Outlaw utilized included a crypto-miner and a backdoor. The updates to the kit still utilize these functions, but an updated backdoor and information stealer could potentially allow the group to sell the data they steal. The updates to the kit allow the group to maximize their profit by getting rid of competitors’ crypto-miners as well as upgrade their own previously-deployed malware. Outlaw is targeting companies that do not keep up-to-date security updates and patches. This is a great example of why updating and patching is extremely important. It is likely that if this group came across a company with no exploitable areas, they would simply move on to the next target and not waste their time trying to compromise companies that have strong security measures in place.
More from Trend Micro can be found here: https://blog.trendmicro.com/trendlabs-security-intelligence/outlaw-updates-kit-to-kill-older-miner-versions-targets-more-systems/