Sigma Rule: Outlaw Hacking Group

SOC Prime Team released a new Sigma rule based on IOCs that can detect the known indicators of the Outlaw hacking group.

Check the link to view the available translations on Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/yyiW6rvv5a00/JiEBzHEBjwDfaYjKqEwv/

Also, you can use Uncoder to convert Sigma rule to a number of supported platforms without access to your SIEM environment. We recently added support for new platforms so that more companies can use this free tool.

After a relatively rapid rise in popularity in 2018, coinminers are now experiencing a significant decline in interest from cybercriminals. Primarily, centers abound the fact that only several threat actors managed to get significant profit, and very few of them continue large-scale campaigns. One of the threat actors who have ongoing campaigns is the Outlaw hacking group, which has been active since 2018, but cybersecurity experts still do not know much about this group. Initially, cybercriminals infected IoT devices and Linux servers to mine Monero cryptocurrency. In 2019, the group updated its botnet so that it could be used to perform DDoS attacks, most of the group’s targets were located in China.

The next surge in activity of the Outlaw hacking group began in December last year. Once again, attackers modified their botnet and their attacks became more targeted at enterprises. The new campaign targets devices in Europe and the United States, cybercriminals are interested in companies with internet-facing systems with weak to no monitoring of traffic and activities, and enterprises who have yet to patch their systems. In addition to the cryptocurrency mining function, the botnet now has a set of tools for data theft and improved evasion techniques for scanning activities.

action: global
title: Outlaw Hacking Group (IOCs)
description: Outlaw hacking group indicator of compromise.
status: stable
author: SOC Prime Team
tags:
attack.command_and_control
attack.t1071
attack.t1043

level: high

logsource:
  category: dns
detection:
  selection:
  query: “debian-package.center”
  condition: selection

logsource:
 category:
firewall
detection:
 selection:
 dst_ip:

 – “45.9.148.125”
 – “45.9.148.129”
 – “45.9.148.99”

  condition: selection

logsource:
 category:
proxy
detection:
 selection:
 cs-host:

 – “debian-package.center”
 – “45.9.148.125”
 – “45.9.148.129”
 – “45.9.148.99”

  selection2:
 r-dns:

  “debian-package.center”
  condition: selection or selection2

 

A previous community Sigma rule published on our blog helped detect Asnarok malware campaign targeted at Sophos XG Firewalls: https://socprime.com/blog/sigma-rule-sophos-firewall-asnarok-malware-campaign/