The Outlaw group has reportedly been using a sophisticated version of Shellbot to conduct attacks on Linux systems to mine privacy-centric coin, Monero (XMR). Shellbot is a Trojan that enables hackers to control infected systems through the use of a command-and-control server (C2).
Researchers at Jask Special Ops have been investigating the attacks in which control of infrastructure is seized allowing hackers to engage in illegal XMR mining. Personal and system data is stolen, tasks and processes are controlled, and command line shells can be remotely opened. Trend Micro says that the first of these IRC bots appeared in November 2018 and are the work of the Outlaw group.
The researchers pointed out that Shellbot has the ability to infect Windows systems and Android devices but instances of that occurring are very rare. The initial attacks in November compromised FTP servers at a Japanese art organization and a Bangladeshi government website. Jask concluded that a third attack broke into several Linux servers belonging to a single entity. In each case, the systems were infected with IRC C2 botware along with the haiduc SSH scan and network propagation kit. The systems also received a cryptomining malware script that uses illegally gained server resources which enable it to mine for XMR.