Outlaw Linux Malware: Persistent Threat Leveraging Simplicity

Elastic Security Labs has published an analysis on the Outlaw Linux malware, describing it as a persistent yet unsophisticated auto-propagating coinminer package that has been active for several years. Despite its lack of advanced evasion techniques, Outlaw remains effective by employing simple but impactful tactics.

Elastic’s researchers deployed a high-interaction honeypot to lure the attackers and observe their behavior in the wild. A rare look at both automated malware execution and live operator intervention.

“This interaction revealed automated and manual actions, with operators entering commands directly, making modifications on the fly, and even mistyping commands—clear indicators of human involvement.”

This hybrid approach, blending worm-like propagation with manual oversight, shows that while Outlaw lacks advanced evasion techniques, it compensates with persistence and adaptability.

At the core of Outlaw Linux malware is a basic infection routine:

• Initial infection is triggered via a shell script (tddwrt7s.sh) which downloads and unpacks a malicious package.
• Scripts like initall, init, and init2 determine execution flow and install components in hidden directories (e.g., ~/.configrc6).
• Cron jobs ensure persistence, with the malware restarting after reboots or termination attempts.

“The malware ensures dominance by killing competing brute-forcers and miners… and installs cron jobs that execute its binaries at regular intervals and on system reboots.”

Outlaw’s architecture is modular, with each directory executing a specific part of the attack:

• a/ Directory: Crypto Mining
  • Deploys a modified XMRig miner, heavily optimized with open-source scripts to use hugepages, write to MSRs, and maximize CPU threads.
  • Ensures miner persistence with custom watchdog scripts (upd, run, stop).
  • Kills competitor processes using community-sourced scripts like MinerKiller.
• b/ Directory: STEALTH SHELLBOT
  • Contains obfuscated Perl-based IRC backdoors for remote control.
  • Installs attacker SSH keys, creates immutable directories, and connects to attacker-controlled IRC channels for real-time command execution.
• c/ Directory: SSH Brute-Force
  • Executes BLITZ, a custom SSH brute-forcer that:
  • Pulls target IPs and credentials from a C2 server.
  • Gathers system info and escalates access.
  • Propagates the malware across subnets without relying on external infrastructure.

What makes Outlaw notable is not its sophistication but its reliability. It’s unsophisticated by design: attackers reuse open-source tools, old IRC bot scripts, and publicly available obfuscation utilities. Yet the malware has remained active since at least 2022, continuously evolving and infecting vulnerable systems.

“This malware presents a valuable opportunity to apply detection engineering principles, as its attack chain spans nearly the entire MITRE ATT&CK framework.”

Elastic emphasizes the value of Outlaw’s repetitive, predictable behaviors for defenders. Despite its longevity, the malware exhibits signs of carelessness—such as hardcoded passwords like pegasus, commented-out legacy code, and typo-laden command execution.

Elastic’s honeypot captured a moment rarely seen in malware analysis: an attacker manually logging into a compromised system post-infection.

“The attacker performed basic reconnaissance… made a small typo and killed the prompt with a quick Ctrl+C, indicating a manual interaction.”

After verifying functionality, the operator simply logged out—leaving behind an environment primed for mining, brute-forcing, and backdoor access.

Elastic’s analysis provides detection rules, IOCs, and a full execution chain, making it a valuable resource for blue teams looking to bolster defenses against persistent, Linux-based threats.

Related Posts:

• Stealthy Crypto-Mining Malware Hijacking PCs via USB Drives
• iOS 18.3.2 Bug? iCloud Mail Push Notifications Broken