Cybersecurity experts have recently uncovered formerly unknown payloads associated with a Romanian threat actor, Diicot, indicating their potential for launching distributed denial-of-service (DDoS) attacks.
The connection to Diicot is noteworthy as it aligns with the name of the Romanian organized crime and anti-terrorism policing unit. Furthermore, the group’s campaigns include messaging and imagery related to this organization, as stated in a technical report by Cado Security.
History of group
Diicot, previously known as Mexals, was first identified by Bitdefender in July 2021 when they discovered the group’s use of a Go-based SSH brute-forcing tool called Diicot Brute. This tool breached Linux hosts as part of a crypto jacking campaign.
Source: Research Gate
In April of this year, Akamai disclosed a “resurgence” of Diicot’s activities that began around October 2022. It is estimated that the threat actor made approximately $10,000 in illicit profits.
Akamai researcher Stiv Kupchik revealed that “the attackers utilise a series of payloads before ultimately deploying a Monero crypto-miner. The latest capabilities observed include using a Secure Shell Protocol (SSH) worm module, enhanced reporting, improved payload obfuscation, and a new LAN spreader module.”
Source: Akamai, representing Mexals full payload chain
Attack technique today
According to Cado Security’s recent analysis, Diicot uses
- an off-the-shelf botnet called Cayosin, which shares similarities with Qbot and Mirai malware families. This development indicates that the threat actor has acquired the capability to launch DDoS attacks.
- Diicot has engaged in activities like doxxing rival hacking groups and relying on Discord for command-and-control and data exfiltration.
Some other things to notice
Cado Security further noted that
- Diicot deployed the Cayosin agent against routers running the Linux-based OpenWrt operating system.
- This adoption of Cayosin demonstrates the threat actor’s willingness to execute various attacks beyond crypto-jacking, depending on the targets they encounter.
- Diicot’s attack chains have remained consistent, typically leveraging their custom SSH brute-forcing tool to gain initial access and introducing additional malware like Mirai variants and crypto miners.
Tools employed by Diicot are:
- Chrome: An internet scanner based on Zmap saves operation results to a text file named “bios.txt.”
- Update: An executable that fetches and executes the SSH brute-forcer and Chrome if they are not present on the system.
- History: A shell script designed to run the Update tool.
What does it do?
The SSH brute-forcing tool, known as aliases, parses the text file output of Chrome to gain unauthorized access to each identified IP address. If successful, it establishes a remote connection to the compromised IP address.
Following this, a series of commands are executed to profile the infected host, deploying a cryptominer or utilizing the machine as a spreader if the CPU has less than four cores.
How to mitigate the risk?
To mitigate such attacks, Cado Security recommends
- organizations are advised to implement SSH hardening techniques and firewall rules to restrict SSH access to specific IP addresses.
- Use the best possible passwords. The threat actor employs a relatively limited list of usernames and passwords, often relying on default or easily guessed credentials.
- Use lengthy and convoluted execution chains for difficulty in Diicot campaigns.
Concluding thoughts
Malware will develop and keep you busy in mitigation and prevention with its advanced tactics every day. Sadly, we can not eliminate them, but we can be mindful of them. So every organization and individual reading this must practice the best security policies they are capable of doing, at home and work.