A Romanian threat group tracked as Diicot has reemerged in the threat landscape. The group appears to have been active since 2020 and is known for conducting cryptojacking campaigns and developing Malware-as-a-Service (MaaS).
The group was initially referred to as Mexals and shares its name with the Romanian anti-terrorism policing unit. It, furthermore, uses the same messaging and imagery styles.
Linux machines on target
According to Cado Labs’ research, Diicot has been found deploying Cayosin, a variant of the Mirai botnet, in its new campaign.
The botnet is used against routers running the Linux-based embedded devices operating system, OpenWrt, for DDoS and cryptojacking attacks.
Besides deploying the botnet, researchers uncovered that the group is actively involved in doxxing members of a rival hacking group.
Some unique TTPs
Diicot heavily relies on the Shell Script Compiler to make analyzing the loader scripts difficult.
The payloads are packed using a customized version of UPX and a header modified with the bytes - another anti-evasion mechanism employed by the group.
Diicot uses Discord for C2 and supports HTTP POST requests to a webhook URL for exfiltrating data from victims’ systems.
Modus operandi
A custom, Golang-based 64-bit SSH brute-forcing tool called aliases is used to gain the initial access into victims’ systems.
The tool ingests a list of IP addresses and credential pairs for conducting attacks.
Once it brute forces an OpenWrt router, it releases a ‘bins.sh’ script that ultimately downloads the Cayosin botnet for further malicious activities.
Conclusion
Researchers identified four distinct C2 servers, indicating that the campaign is ongoing. It is claimed that the hacking group is evolving tactics to expand its attack scope. As the current campaign specifically targets SSH servers exposed to the internet with password authentication enabled, it is advisable to implement a basic SSH hardening process to defend against malware attacks. This includes mandatory key-based authentication for SSH instances and the implementation of firewall rules to limit SSH access to specific IP addresses.