Classic Trojan Gets Monero Mining Twist for New Hack Attacks

John Moore
  • Security researchers have identified a re-tooled version of the classic 'Shellbot' Trojan, tasked with delivering mining software
  • An international hacking team known as Outlaw Group are likely behind the botnet dedicated to reaping this crypto harvest

As if to prove the old Broadway addage that ‘everything old is new again’, a classic Trojan program from the noughties has recently re-emerged with an all-new crypto add-on. 

A report published this week by OpSec group, Jask, offered up details of a late 2018 attack on an educational establishment. That attack, prefaced by brute force attacks on Linux machines that were part of its network, was based around the installation of a remixed version of the classic ‘Shellbot’ code - first seen as far back as 2005

At that point, Shellbot was the latest of a newer breed of criminally motivated malware that was designed solely for monetary gain. Designed to be as inconspicuous as possible, its so-called ‘Backdoor’ attack vector offered its installer access to the infected computer, and the ability to install whatever software they chose, and thus turn it to whatever purpose they saw fit. In recent years, these types of attack have increasingly resulted in the mining of cryptocurrencies. 

Once installed, Shellbot acts as a Trojan, delivering whatever bits of code its controllers see fit, using the equally classic Internet Relay Chat (IRC) network. The example outlined by Jask’s case study, fits the modus opperandi of a hacking team known as the Outlaw Group, and co-opted machines into a larger so-called ‘Botnet’ of compromised computers, dedicating their resources to - among other things - the mining of Monero.

Monero Increasingly Popular With Hackers 

Monero mining has been on the increase in the last year or so, as hackers have identified it as a liquid, hard-to-trace, and - above all - profitable cryptocurrency option for funding their nefarious activities. Indeed, during mid-2018 research by a Canadian cyber security concern, Citizen Lab , pointed towards state-sponsored actors from the Middle East jumping on the Monero bandwagon as a way of funding their projects. 

Tracing of the botnet control and command interactions led back to a server located in the Netherlands, where it appears that the Outlaw Group has built its mining pool infrastructure using the resources of a server largely dedicated to gaming (Minecraft, rather ironically). All monies from the pool, were then forwarded on to the Monero wallet address: 481fnPjXvX75xmkaJ3dm4vVGWZLHn3GDuKycHypVLr9SgiT6oaYgVh26iZRpwKEkTZCAmUS8tykuwU orM3zGtWxPBFquwuS. 

The international outlook of the team was reinforced by researchers’ discovery of Portuguese and Romanian notes within the code. That has led Jask to speculate that whoever is behind the new code are either multi-national or multi-lingual. 

"I think the lesson from Outlaw and Shellbot,” Kevin Stear, lead threat analyst at JASK, told  Dark Reading  “is, you can do a lot with legacy tools and tradecraft.”

Another is that you should always keep your network security up to date, be wary of what you download and look out for any unusually high processor use on your machines. That, or risk becoming one of the ever-increasing victims of crypto-related crime