Ddos 
While high-profile ransomware and state-backed APT groups often dominate headlines, it’s crucial not to overlook quieter yet persistent threats. One such threat is Outlaw (also known as “Dota”), a Perl-based botnet that exploits poorly secured Linux servers globally. Kaspersky’s recent analysis of a newly observed campaign underscores how basic security lapses can lead to significant breaches.
“By focusing on weak or default SSH credentials, Outlaw keeps improving and broadening its Linux-focused toolkit,” Kaspersky stated in its incident response case from Brazil.
The infection chain begins with an all-too-familiar vulnerability: default or weak SSH credentials. In the incident detailed by Kaspersky, the attackers gained access via a user account named suporte, often used for administrative tasks in Portuguese-speaking environments.
Once inside, they deployed a first-stage shell script (tddwrt7s.sh), which fetched and unpacked a malicious archive (dota.tar.gz). This created a hidden directory named .configrc5 where various payloads were stored.
A key part of the operation is ensuring resource dominance. The attackers ran scripts to identify and kill competing mining processes, scanning for CPU-hungry tasks and whitelisting only those aligned with their own activities — including aliases like kswapd0, tor, and httpd.
For persistence, the malware wiped any existing .ssh configurations and replaced them with the attacker’s authorized key. It also dropped a Base64-encoded second-stage Perl script, obfuscated using perlobfuscator.com and masquerading as an rsync process.
“This Perl script is an IRC-based botnet client that acts as a backdoor on a compromised system,” the report explains. Once active, it connects to a hardcoded IRC server via port 443 and joins preconfigured channels using random nicknames to await commands.
These backdoors enable a range of malicious activities — including DDoS attacks, port scanning, remote shell execution, and file transfers.
Also buried in the .configrc5 directory was an ELF binary named kswapd0, which analysis revealed to be a customized XMRig miner — version 6.19.0 — packed with UPX. The miner was configured to exclusively use CPU resources, with GPU mining disabled, and was set to communicate with mining pools over Tor, further masking its activity.
“The miner runs in the background, configured for high CPU usage,” Kaspersky noted, adding that the attackers embedded their configuration directly into the binary for stealth.
According to Kaspersky’s telemetry, Outlaw’s activity spans multiple continents, with notable infection spikes in March 2025. The most targeted countries include:
- United States
- Germany
- Brazil
- Italy
- Taiwan
- Thailand
- Singapore
- Canada
Interestingly, the group went dark between December 2024 and February 2025, only to resurface with a sudden surge.
Given Outlaw’s reliance on lax SSH security, defenders can dramatically reduce risk by hardening their SSH configurations. Kaspersky recommends:
- Switching to key-based authentication
- Disabling password and root login
- Changing the default SSH port
- Limiting access using AllowUsers and IP whitelisting
- Enforcing idle timeout and authentication limits
- Disabling unused authentication protocols and SSH tunneling options
“Pairing your config with tools like Fail2Ban or firewalld rate limiting adds another solid layer of protection against brute force,” Kaspersky advises.
Related Posts:
- Outlaw Linux Malware: Persistent Threat Leveraging Simplicity
- CVE-2024-56406: Heap Overflow Vulnerability in Perl Threatens Denial of Service and Potential Code Execution
- Two flaws found in Perl programming language
- A Critical Security Vulnerability Patched Perl Programming Language
- Cryptocurrency Malware: The Hidden Threat Lurking on YouTube
Donate