In a recent digital forensic analysis activity that was conducted in February 2022 by CYE’s Critical Cyber Operations group, our team analyzed an image of a client’s suspicious Linux server that was reported to be sending brute force attacks worldwide. The team concluded that not only had the server indeed been breached, but they found a range of malicious tools including scripts and malware installed on it. Two highly active tools were designed for conducting crypto mining and SSH brute forcing additional servers.
Relying on the identified IOCs (SSH-key comment, malicious tools & script names, directory hierarchy) we can conclude that it is very similar to an attack that was conducted back in April 2020 by the “Outlaw Hacking Group”. The Outlaw Hacking Group was first spotted by TrendMicro in 2018 when the cybercriminals targeted the automotive and financial industries. This activity and attacker assets have led us to the belief that the attacker never stopped their activity rather they changed some IOCs. To the best of our knowledge, the malware they are using is changing frequently making it hard for conventional antiviruses to catch.