Diicot cybercrime gang expands its attack capabilities

Researchers found evidence that Diicot threat actors are expanding their capabilities with new payloads and the Cayosin Botnet.

Cado researchers recently detected an interesting attack pattern linked to an emerging cybercrime group tracked as Diicot (formerly, “Mexals”) and described in analyses published by Akamai and Bitdefender.

The experts discovered several payloads, some of which were not publicly known, that are being used as part of a new ongoing campaign. 

Evidence collected by Cado suggests the deployment of a botnet having DDoS capabilities.

The use of the name Diicot, which is also the name of a Romanian organized crime and anti-terrorism policing unit, and the presence of Romanian-language strings and log statements in the payloads suggests that the group could be based in Romania. 

The Diicot cybercrime group has traditionally been associated with cryptojacking campaigns, but Cado Labs observed the group deploying the off-the-shelf Mirai-based bot known as Cayosin. The Cayosin bot employed in the attacks observed by Cado targeted routers running the Linux-based embedded devices operating system OpenWrt

The group has distinctive TTPs such as the heavy use of the Shell Script Compiler (shc) and a custom version of the UPX packer (using a header modified with the bytes 0x59545399) to prevent unpacking via the standard command (“upx -d c”).

Diicot heavily used Discord for C2, the platform supports HTTP POST requests to a webhook URL, allowing exfiltrated data and campaign statistics to be viewed within a given channel. Cado identified four distinct channels used in this campaign.

“Diicot campaigns generally involve a long execution chain, with individual payloads and their outputs forming interdependent relationships. shc executables are typically used as loaders and prepare the system for mining via Diicot’s custom fork of XMRig, along with registering persistence.” reads the report published by Cado. “Executables written in Golang tend to be dedicated to scanning, brute-forcing and propagation, and a fork of the zmap internet scanning utility has often been observed.”

The attack chain observed by the researchers is very long and the last stage is a Monero cryptominer.

The initial access for this campaign is via a custom SSH brute-forcing tool, named aliases.

The experts also observed the group using a set of tools including an internet scanner named Chrome which is based on Zmap, an shc executable named Update that retrieves Chrome and aliases if they don’t exist, and a shell script named History that checks whether Update is running and executes it if not.

“Diicot are an emerging threat group with a range of objectives and the technical knowledge to act on them. This campaign specifically targets SSH servers exposed to the internet with password authentication enabled. The username/password list they use is relatively limited and includes default and easily-guessed credential pairs.” concludes the report. “Cado Labs encourages readers to implement basic SSH hardening to defend against this malware family, including mandatory key-based authentication for SSH instances and implementation of firewall rules to limit SSH access to specific IPs.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Clop ransomware)

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.