Cybersecurity firm finds similarity in Monero botnet and “Outlaw” attack

TrendMicro’s Security Intelligence Blog has recently discovered a URL that circulates a Monero mining botnet which is almost identical to a similar botnet created by the Outlaw hacking group. TrendMicro states that though in its testing phase, the infection attempts have already been carried out in China. Hackers use the group’s primary hacking tool, dubbed “Haiduc,”(and the Romanian word for “outlaw”)which is a Perl-based shellbot that attack vulnerabilities in the Internet-of-Things.

Previously, the hacking group used to look for a vulnerable system on the internet to launch an attack. At present, it is reported that the malware is primarily being spread through a malicious URL which consists of a Monero-mining script as well as a backdoor-based exploit. 

Once Haiduc comes across a vulnerability, or the URL has been accessed, the botnet uses a brute force attack exploit which allows remote access to their victim’s systems. After the system is under the control of the hackers, the malware downloads the cryptocurrency miner payload. The malware also deletes the cryptocurrency mining software installed on the system, if any. 

The bot is also reportedly “capable of launching distributed denial-of-service (DDoS) attacks, allowing the cybercriminals to monetize their botnet through cryptocurrency mining and by offering DDoS-for-hire services.” DDoS attacks occur when multiple systems attempt to overwhelm the bandwidth of another targeted system. If the attack is successful, the system will be so overwhelmed that it will not be accessible to anyone besides the person launching the attack. DDoS attacks are quite prominent in the crypto sphere.

The RWTH Aachen University in Germany reported that this kind of involuntary crypto mining is known as “cryptojacking” which amounts to over $250,000 worth of cryptocurrency per month.