Outlaw has emerged as a persistent Linux malware that continues to infect systems worldwide despite its relatively unsophisticated techniques.
This malware has demonstrated remarkable longevity in the threat landscape by leveraging simple yet effective tactics such as SSH brute-forcing, strategic persistence mechanisms, and cryptocurrency mining operations to maintain a growing botnet of compromised Linux servers.
The malwareβs initial access vector primarily relies on opportunistic SSH brute-force attacks against systems with weak or default credentials. Once access is gained, Outlaw downloads and executes a payload called dota3.tar.gz, which initiates a multi-stage infection process.
This package contains various components that ensure the malware can maintain control of the compromised system while evading detection.
Elastic security labs analysts noted that Outlaw demonstrates a comprehensive attack chain spanning nearly the entire MITRE ATT&CK framework, making it an excellent case study for detection engineering efforts.
The researchers captured the malwareβs behavior through honeypot systems, observing both automated processes and occasional manual interaction from the threat actors.
What makes Outlaw particularly effective is its worm-like propagation mechanism.
After compromising a host, the malware scans the local subnet for additional vulnerable systems, leveraging the newly infected machine to launch further SSH brute-force attacks, rapidly expanding its reach across networks.
Persistence Techniques >>>
Outlawβs persistence mechanisms rely heavily on cron jobs and SSH key manipulation.
The malware installs multiple cron jobs to ensure its components restart after system reboots or if they are terminated.
A deobfuscated script from the malware reveals this approach:-
echo "5 6 * * 0 $dir2/a/upd>/dev/null 2>&1@reboot $dir2/a/upd>/dev/null 2>&15 8 * * 0 $dir2/b/sync>/dev/null 2>&1@reboot $dir2/b/sync>/dev/null 2>&10 0 */3 * * $dir/c/aptitude>/dev/null 2>&1" >> cron.dcrontab cron.d
Additionally, the malware removes and recreates the userβs ~/.ssh directory, injecting attacker-controlled SSH keys and applying immutable file attributes using chattr +ia to prevent administrators from removing them.
This grants persistent remote access even if passwords are changed.
The Outlaw malware demonstrates how threat actors can achieve widespread impact without relying on sophisticated techniques.
Its detection presents multiple opportunities for security teams, particularly through monitoring for suspicious SSH authentication attempts, unusual cron job creation, and unauthorized SSH key modifications.