Figure 1. Initial script, min.sh

We previously blogged about how we uncovered the operations of the hacking group we named Outlaw that uses an Internet Relay Chat (IRC) bot. This follow-up post covers a host part of the botnet operated by the group, which we found attempting to run a script on our IoT honeypot. The attacking bot used a tool called haiduc to search the internet for systems to attack, which it does by taking advantage of a common command injection vulnerability. If successful, it attempts to run the script min.sh(detected by Trend Micro as Coinminer.SH.MALXMR.ATNJ) on targeted hosts.

https://blog.trendmicro.com/trendlabs-security-intelligence/outlaw-group-distributes-botnet-for-cryptocurrency-mining-scanning-and-brute-force/