Date: 05/06/2025
Severity: Medium
Summary
Outlaw, also known as "Dota," is a Perl-based crypto-mining botnet targeting Linux systems by exploiting weak or default SSH credentials. While previously observed in honeypots, a recent real-world incident in Brazil highlights its continued effectiveness. Public telemetry data shows that Outlaw targets multiple countries and regions, and the report includes TTPs and defensive best practices for protecting against this threat.
Indicators of Compromise (IOC) List
IP Address | 45.9.148.99 |
Hash | 15f7c9af535f4390b14ba03ddb990c732212dde8
982c0318414c3fdf82e3726c4ef4e9021751bbd9
f2b4bc2244ea8596a2a2a041308aa75088b6bbd5
4d5838c760238b77d792c99e64bd962e73e28435
d0ba24f9fad04720dff79f146769d0d8120bf2ff
|
Wallet | 483fmPjXwX75xmkaJ3dm4vVGWZLHn3GDuKycHypVLr9SgiT6oaZgVh26iZRpwKEkTZCAmUS8tykuwUorM3zGtWxPBFqwuxS |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | dstipaddress IN ("45.9.148.99") or srcipaddress IN ("45.9.148.99") |
Detection Query 2 | hash IN ("f2b4bc2244ea8596a2a2a041308aa75088b6bbd5","4d5838c760238b77d792c99e64bd962e73e28435","15f7c9af535f4390b14ba03ddb990c732212dde8","982c0318414c3fdf82e3726c4ef4e9021751bbd9","d0ba24f9fad04720dff79f146769d0d8120bf2ff")
|
Reference:
https://securelist.com/outlaw-botnet/116444/