Outlaw Cybergang Launches Global Attacks on Linux Environments with New Malware

The Outlaw cybergang, also known as “Dota,” has intensified its global assault on Linux environments, exploiting weak or default SSH credentials to deploy a Perl-based crypto mining botnet.

Detailed insights from a recent incident response case in Brazil, handled by Kaspersky, reveal the group’s evolving tactics.

Sophisticated Threat Targets Weak SSH Credentials

The attackers target administrative accounts like “suporte,” often secured with predictable passwords, to infiltrate systems.

Once inside, they insert unauthorized SSH keys linked to a remote user named “mdrfckr,” a hallmark of Dota campaigns, enabling persistent access to compromised servers.

This incident underscores the critical need for robust SSH configurations as Outlaw’s reach spans multiple continents, with significant victim clusters in the United States, Germany, Italy, Thailand, Singapore, Taiwan, Canada, and Brazil, based on public telemetry data.

Multi-Stage Malware Deployment and Resource Hijacking

The Outlaw gang employs a multi-stage infection process that begins with downloading a first-stage script, “tddwrt7s.sh,” via wget or curl, which then fetches the primary payload, “dota.tar.gz,” from malicious servers.

Upon decompression, a hidden directory “.configrc5” is created, housing scripts and binaries like “init0” and “b/run.”

According to Kaspersky Report, these components exhibit sophisticated behavior, including scanning for and terminating competing miners to monopolize CPU and RAM resources, and employing process monitoring to kill high-CPUusage processes lacking specific whitelisted keywords.

A notable element is the obfuscated Perl script within “b/run,” which, once decoded, reveals an IRC-based botnet client enabling command execution, DDoS attacks, port scanning, and file transfers over HTTP.

Additionally, a UPX-packed binary identified as a modified XMRig miner (version 6.19.0), dubbed “kswapd0,” mines Monero cryptocurrency using CPU resources, with configurations linking to multiple mining pools, including one accessible via Tor.

This relentless resource hijacking, paired with evasion tactics like file obfuscation and hidden directories, showcases Outlaw’s technical prowess.

System administrators are urged to adopt stringent security measures, including changing default SSH ports, disabling password-based authentication, and implementing key-based access while limiting connections to trusted IPs to thwart these persistent threats.

Telemetry indicates a notable spike in victims in March 2025, following a period of dormancy from December 2024 to February 2025, signaling a resurgence of this dangerous group.

Indicators of Compromise (IoCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!