Pierluigi Paganini
June 19, 2023
Cado researchers recently detected an interesting attack pattern linked to an emerging cybercrime group tracked as Diicot (formerly, “Mexals”) and described in analyses published by Akamai and Bitdefender.
The experts discovered several payloads, some of which were not publicly known, that are being used as part of a new ongoing campaign.
Evidence collected by Cado suggests the deployment of a botnet having DDoS capabilities.
The use of the name Diicot, which is also the name of a Romanian organized crime and anti-terrorism policing unit, and the presence of Romanian-language strings and log statements in the payloads suggests that the group could be based in Romania.
The Diicot cybercrime group has traditionally been associated with cryptojacking campaigns, but Cado Labs observed the group deploying the off-the-shelf Mirai-based bot known as Cayosin. The Cayosin bot employed in the attacks observed by Cado targeted routers running the Linux-based embedded devices operating system OpenWrt.
The group has distinctive TTPs such as the heavy use of the Shell Script Compiler (shc) and a custom version of the UPX packer (using a header modified with the bytes 0x59545399) to prevent unpacking via the standard command (“upx -d c”).
Diicot heavily used Discord for C2, the platform supports HTTP POST requests to a webhook URL, allowing exfiltrated data and campaign statistics to be viewed within a given channel. Cado identified four distinct channels used in this campaign.
“Diicot campaigns generally involve a long execution chain, with individual payloads and their outputs forming interdependent relationships. shc executables are typically used as loaders and prepare the system for mining via Diicot’s custom fork of XMRig, along with registering persistence.” reads the report published by Cado. “Executables written in Golang tend to be dedicated to scanning, brute-forcing and propagation, and a fork of the zmap internet scanning utility has often been observed.”
The attack chain observed by the researchers is very long and the last stage is a Monero cryptominer.
The initial access for this campaign is via a custom SSH brute-forcing tool, named aliases.
The experts also observed the group using a set of tools including an internet scanner named Chrome which is based on Zmap, an shc executable named Update that retrieves Chrome and aliases if they don’t exist, and a shell script named History that checks whether Update is running and executes it if not.
“Diicot are an emerging threat group with a range of objectives and the technical knowledge to act on them. This campaign specifically targets SSH servers exposed to the internet with password authentication enabled. The username/password list they use is relatively limited and includes default and easily-guessed credential pairs.” concludes the report. “Cado Labs encourages readers to implement basic SSH hardening to defend against this malware family, including mandatory key-based authentication for SSH instances and implementation of firewall rules to limit SSH access to specific IPs.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Clop ransomware)
