The cybersecurity firm Trend Micro says it has detected the Outlaw hacking group has been upgrading its stealing-from-enterprises data kit for about half a year already.
Outlaw has been very quiet since June 2019, only to become active again in December, when it started making upgrades to the stealing data kits. It seems now they’re able to target more systems, says a Trend Micro analysis from February 10. They can steal data from the finance and automotive industries.
— Trend Micro Research (@TrendMicroRSRCH) February 10, 2020
What Else Can the Kits Do Now?
The new upgrades done by the group are for advanced techniques of breaching, scanner targets and parameters, better mining profits obtained by eliminating competition, the group’s own old miners included. According to the Trend Micro analysis, the newly developed kits attacked Unix and Linux operating systems, Internet-of-Things (IoT) devices and vulnerable servers. PHP-based web shells were also used for the hackers to gain remote access to devices.
What Are the Hackers Going For?
It seems the attacks started from a virtual private server (VPS) looking for a vulnerable device. The new Outlaw tools are looking to exploit previously developed scripts, codes and commands. Many IP addresses are used for scanning in each country, this being the reason why the group attacks only certain areas during the same time period.
Are Hackers One Step Ahead of the Game?
In June 2019, Trend Micro said it has identified a web address that spreads a botnet that features a Monero (XMR) mining component and a backdoor. The malware was also attributed to Outlaw because it had employed the same techniques as in other operations conducted by the group before.
It had Distributed Denial of Service (DDoS) capabilities and allowed hackers to monetize by offering DDoS-for-hire services and through crypto mining. More than this, only in January this year, the supposedly North Korean government-sponsored hacker group Lazarus deployed some new viruses developed to steal cryptocurrency. The QtBitcoinTrader crypto trading interface was modified and used to deliver, also to execute, the famous Lazarus’s Operation AppleJesus malicious code.