Outlaw Monero Cryptojacking in the Wild

Cryptomining malware, also known as cryptojacking, is probably the type of cyberattack we should be most concerned about in 2019. Data from prominent malware researchers suggests that cryptojacking attacks are becoming more common, as ransomware is conversely becoming less common.

It seems to me that cyber attackers now would rather be stealthy and make small amounts of money from a greater number of victims over a longer time duration, rather than go with the obvious ransomware approach. Ransomware attacks cannot be stealthy because the user needs to see a ransom note in order for the cyber attacker to extort money from them.

More enterprises are keeping robust backups they can restore from, and more and more consumers are keeping backups through online services like iCloud, Google Drive, and Dropbox - so, targets are less likely to pay ransoms. But cryptojacking can remain persistent for a lot longer than ransomware, using small amounts of CPU and memory to generate cryptocurrency over large numbers of victim machines. Many networks are out there making money for cyber criminals, and they don’t even know it.

Fortunately, one particular cryptojacking campaign was caught in action by a team of researchers. And what they learned can help us prepare for the latest cyberattack techniques.

JASK offers an Autonomous Security Operations Center platform which helps organizations deal with cyber threats efficiently and effectively. JASK’s Rod Soto, Darren Spruell, and Kevin Stear recently reported on a cryptojacking campaign which suggests the direction in which cyber crime is heading.

First, a Bit of Background

JASK’s SpecOps team were monitoring an unnamed higher education organization’s network in November 2018. When cyber attackers deploy cryptojacking campaigns, they want targets that they can easily infect, use a little bit of their CPU and memory for cryptomining, and remain persistent.

Most cryptojacking involves victim machines connected to the cyber attacker’s command and control (C2) servers, to spread a little bit of cryptomining over a large number of targets. When each target is only exploited for a small amount of processing power, it can help cryptojacking to evade detection. With that persistence, a lot of money can be generated over a long period of time.

It’s noted that educational organizations often have limited resources for cybersecurity operations, yet they tend to have networks with lots of server and client machines. That combination of tendencies makes educational networks very attractive targets for this sort of cyber crime.

Because of the software and the cyberattack techniques used by the attackers, JACK SpecOps believes that the attack they monitored of this educational institution is the work of a cyber crime group called Outlaw.

Who Are the Outlaw Cyber Crime Group?

The Outlaw cyber crime group were first reported by researchers in November 2018. The name comes from the English translation of one of the cyberattack tools that they use, “Haiduc.” They are believed to originate in Romania.

The Haiduc tool allows for SSH ports to be scanned and brute force attacked. Shellbot is an IRC-driven script written in Perl which allows attackers to open a shell on their victim machines, to be controlled from an IRC C2 server. XMR-Stak is a cryptominer which is available via GitHub.

Mind you, cryptominers aren’t malware if they are being run on computers with the owner’s consent. But when cryptominers are deployed without the owner’s consent, they become malware. From XMR-Stak’s README and feature list:

“XMR-Stak is a universal Stratum pool miner. This miner supports CPUs, AMD and NVIDIA GPUs and can be used to mine the crypto currencies Monero, Aeon and many more Cryptonight coins...

Features:

  • Support all common backends (CPU/x86, AMD-GPU and NVIDIA-GPU)
  • Support all common OS (Linux, Windows and macOS)
  • Supports algorithm cryptonight for Monero (XMR) and cryptonight-light (AEON)
  • Easy to use
  • Guided start (no need to edit a config file for the first start)
  • Auto-configuration for each backend
  • Open source software (GPLv3)
  • TLS support
  • HTML statistics
  • JSON API for monitoring"

The brute forcing, cryptomining, and the particular applications used in the educational institution cyberattack observed by JASK makes the Outlaw cyber crime group the prime suspect. The timing of the attack, a few weeks after the group was initially discovered, also supports the idea that Outlaw is behind this.

About the Cyberattack 

In late November, firewalls detected brute force authentication attempts to the network’s SSH server. SSH is normally used as an encrypted means of remotely administering a computer system. An uptick in scanning activity was also seen.

The SSH activity was determined to be malicious, anomalous behavior when examined more closely. Once SSH was breached, a network traffic evolution indicated that activity related to scripting and command line interface user agent strings was symptomatic of malicious payloads being installed and operated from.

A malicious Perl script was determined to be an obfuscated version of Shellbot IRC malware. The obfuscation was done by using Perl’s pack routine to hide some of the code. When the malicious script is run, unpack and eval functions are deployed and a connection is made to the cyber attacker’s IRC server for the purposes of command and control.

Once command and control has been established, XMR-Stak is downloaded and installed to the victim machines in order to generate cryptocurrency for the cyber attacker.

In Conclusion

The only major difference between the cyberattack observed by JASK and the first cyberattacks attributed to the Outlaw cyber crime group is the little bit of obfuscation added to the Perl script. Therefore, it’s highly probable that what JASK saw is the work of Outlaw as well.

Outlaw’s attacks are targeting Linux implementations of SSH. Although Linux is seldom seen on desktop client machines, Linux distros are very commonly used as Internet servers.

It is possible that Outlaw might not be solely working for themselves. A lot of cyber attackers have been offering their services for hire via forums and markets on the Dark Web. A usual scheme is that the clientele gets about 60% of the profits and the cyberattack authors get about 40% of the profits, similar to the offers that the authors of GandCrab ransomware have made.

There are a huge amount of Linux-driven SSH servers all over the Internet, so tools like Haiduc have a lot of possible victims to discover and exploit.