Cybersecurity researchers have recently discovered new payloads associated with a Romanian threat actor known as Diicot, indicating its potential for launching distributed denial-of-service (DDoS) attacks. The name “Diicot” is significant as it aligns with the name of the Romanian organized crime and anti-terrorism policing unit. The group’s campaigns also contain messaging and imagery related to this organization, adding to its notoriety.Diicot, previously known as Mexals, was initially identified by Bitdefender in July 2021 when it was found to be utilizing a Go-based SSH brute-forcer tool named Diicot Brute to compromise Linux hosts as part of a cryptojacking campaign. Akamai later reported a resurgence of Diicot’s activities in April this year, suggesting that the campaign began around October 2022 and resulted in illicit profits of approximately $10,000.According to Akamai, the attackers employ a chain of payloads before ultimately deploying a Monero cryptominer. The latest analysis by Cado Security reveals that Diicot has also started utilizing an off-the-shelf botnet called Cayosin, which exhibits similarities to Qbot and Mirai malware families. This development indicates that the threat actor now possesses the capability to launch DDoS attacks. In addition to cryptojacking, Diicot has been involved in activities such as doxxing rival hacking groups and utilizing Discord for command-and-control and data exfiltration.Cado Security’s analysis further highlights that the group deploys Cayosin primarily against routers running the Linux-based embedded devices operating system, OpenWrt. This demonstrates Diicot’s willingness to carry out various types of attacks, depending on the nature of their targets, rather than being limited to cryptojacking alone.The compromise chains employed by Diicot have remained relatively consistent, typically involving the use of the custom SSH brute-forcing utility to gain initial access and then dropping additional malware like Mirai variants and crypto miners.Among the tools used by the threat actor, there are notable ones:Chrome: An internet scanner based on Zmap, which writes the operation results to a text file (“bios.txt”).Update: An executable that fetches and executes the SSH brute-forcer and Chrome if they are not already present in the system.History: A shell script designed to run Update.The SSH brute-forcer tool parses the text file output of Chrome, breaking into each identified IP address and establishing a remote connection if successful.To mitigate such attacks, organizations are advised to implement SSH hardening and firewall rules to restrict SSH access to specific IP addresses. Cado Security emphasizes that this campaign specifically targets SSH servers exposed to the internet with password authentication enabled. The threat actor employs a relatively limited list of default and easily guessed credential pairs.In conclusion, the expansion of Diicot’s capabilities to include DDoS attacks signifies a concerning development in the threat landscape. The group’s utilization of off-the-shelf botnets and its involvement in various malicious activities raise the need for enhanced security measures and vigilance among organizations to protect against these evolving threats.
Subscribe to our mailing list to get the new updates!
October 20, 2023
October 20, 2023