Figure 1. Initial script,

We previously blogged about how we uncovered the operations of the hacking group we named Outlaw that uses an Internet Relay Chat (IRC) bot. This follow-up post covers a host part of the botnet operated by the group, which we found attempting to run a script on our IoT honeypot. The attacking bot used a tool called haiduc to search the internet for systems to attack, which it does by taking advantage of a common command injection vulnerability. If successful, it attempts to run the script by Trend Micro as Coinminer.SH.MALXMR.ATNJ) on targeted hosts.