The OUTLAW malware is a persistent, Linux-based threat focused on building and maintaining a botnet primarily for Monero cryptocurrency mining. It employs a relatively unsophisticated yet effective strategy based on SSH brute-force attacks, cron job persistence, and reuse of open-source tools. Despite lacking stealth or complex evasion tactics, OUTLAW remains active by self-replicating across compromised systems and running modified versions of tools like XMRig for mining and STEALTH SHELLBOT for IRC-based remote control. Once it infects a system, it establishes persistence by injecting SSH keys and modifying configurations to lock out administrators. Honeypot observations revealed a mix of automated and manual attacker behavior, including real-time command entry and component updates.
The malware operates through multiple modular scripts and binaries that control installation, persistence, mining optimization, lateral movement, and C2 communication. It deploys a custom SSH brute-forcer named BLITZ to expand its reach and optimize infected systems for mining by tweaking CPU performance settings and memory configurations (e.g., hugepages).