A group of cybercriminals known as Diicot has been engaging in mass SSH brute-force scanning and deploying a variant of the Mirai IoT botnet on compromised devices, according to researchers. Additionally, the group has been deploying a cryptocurrency mining payload on servers with CPUs that have more than four cores.
In a recent analysis of Diicot’s attack campaign, researchers from Cado Security discovered evidence of the group deploying an off-the-shelf Mirai-based botnet agent named Cayosin. The deployment of this agent specifically targeted routers running the Linux-based embedded devices operating system, OpenWrt.
The Diicot group, previously known as Mexals, has been active since at least 2021. Through investigating strings found in their malware payloads, scripts, and messages against rival hacker groups, researchers have strong indications that Diicot is based in Romania. Even their new name mimics the acronym for the Romanian law-enforcement agency, the Directorate for Investigating Organized Crime and Terrorism (DIICOT), which also investigates and prosecutes cybercrime.
Diicot’s previous campaigns, documented by Bitdefender in 2021, primarily focused on cryptojacking. This involves hijacking computing power for cryptocurrency mining. The group targeted Linux servers with weak SSH credentials, utilizing custom and centralized mass scanning and brute-force scripts to try various combinations of usernames and passwords. Once a server was successfully compromised, Diicot deployed a custom version of the open-source XMRig software to mine Monero.
In more recent campaigns, researchers from Akamai noticed Diicot’s name change and the diversification of its attack toolkit. This included the addition of an SSH worm written in Golang and the deployment of a Mirai variant called Cayosin. Mirai, originally appearing in 2016, was a self-propagating botnet designed to infect embedded networking devices. The botnet’s source code was later made publicly available, allowing cybercriminals to develop various other improved variants based on it.
Cado Security recently investigated Diicot’s latest attack campaign, which appears to have started in April 2023. The attack involves the use of a Golang SSH brute-forcing tool called aliases. This tool attempts to brute-force authentication by taking a list of target IP addresses and username/password pairs. If the compromised system runs OpenWrt, the attackers deploy a script called bins.sh, responsible for determining the device’s CPU architecture and deploying a Cayosin binary compiled specifically for that architecture.
For systems not running OpenWrt, the aliases tool deploys Linux binary payloads created with the shell script compiler (SHC) tool and packed with UPX. These payloads serve as malware loaders, preparing the system for the deployment of the XMRig variant.
One of the SHC payloads, named “payload,” executes a bash script that checks if the system has at least four CPU cores before deploying XMRig. The script also changes the password for the current user under execution. If the user is root, a hardcoded password is set; otherwise, the password is dynamically generated from the current date.
The payload tool also deploys another SHC executable named .diicot, which adds an attacker-controlled SSH key to the current user to ensure future access. It also checks if the SSH service is running and registered as a service. The script proceeds to download the custom XMRig variant and save it as Opera, along with its configuration file. Additionally, it creates a cron script to check for and relaunch the Opera process if it’s not running.
The payload tool downloads another SHC executable called “update,” which deploys the aliases’ brute-force tool and a copy of the Zmap network scanner named “chrome.” The update executable also deploys a shell script called “history,” which executes Update itself and creates a cron script ensuring that the history and chrome executables are running on the system.
Diicot’s use of tools like Cayosin demonstrates their willingness to conduct various attacks beyond just cryptojacking, depending on the type of targets they encounter. This finding is consistent with Akamai’s research, indicating that the group continues to invest engineering effort into deploying Cayosin. As a result, Diicot has gained the ability to conduct DDoS attacks, which is the primary objective of Cayosin according to previous reporting.
To protect against Diicot’s attacks, organizations should implement basic SSH hardening for their servers. This means using key-based authentication instead of passwords and firewall rules to restrict SSH access to trusted IP addresses. Detecting Diicot scanning originating from a system should be relatively straightforward at the network level, as it tends to generate significant noise.
In conclusion, the cybercriminal group known as Diicot has been using mass SSH brute-force scanning and deploying a Mirai-based botnet called Cayosin on compromised devices to carry out various malicious activities, including cryptojacking and DDoS attacks. It is essential for organizations to implement proper security measures to protect against these attacks and ensure the safety of their systems and data.