A group of cybersecurity experts has recently unearthed previously unreported payloads linked to a Romanian threat actor named Diicot. The discovery sheds light on the threat actor's capability to execute distributed denial-of-service (DDoS) attacks.
In July 2021, a cybersecurity firm called Bitdefender discovered the actions of a threat actor named Diicot (formerly known as Mexals).
The investigation revealed that Diicot utilized a tool called Diicot Brute, which is a Go-based SSH brute-forcer, to compromise Linux hosts as part of their cryptojacking campaign.
Akamai revealed a renewed surge in Diicot's operations that had been previously identified in 2021. This latest wave of attacks, believed to have commenced around October 2022, allowed the threat actor to accumulate illicit profits amounting to approximately $10,000.
A recent analysis conducted by Cado Security has uncovered that the Diicot group has expanded its tactics by utilizing a ready-made botnet agent called Cayosin. This particular malware, which exhibits similarities to Qbot and Mirai, signifies a significant development for the threat actor as it demonstrates their newfound capability to launch distributed denial-of-service (DDoS) attacks.
Additionally, the group has engaged in activities such as revealing private information about rival hacking groups, a practice known as doxxing. Furthermore, Diicot relies on the popular communication platform Discord for controlling its operations and extracting stolen data.
The threat actor, Diicot, employs several distinct tools in their operations:
Chrome: This tool functions as an internet scanner using Zmap technology. It gathers information during operations and saves the outcomes to a text file named "bios.txt".
Update: This executable is responsible for fetching and executing the SSH brute-forcer and Chrome tools if they are not already present on the compromised system.
History: Designed as a shell script, History facilitates the execution of the Update tool.
DDoS attacks and Cryptojacking Relation
DDoS attacks and cryptojacking are being combined by cybercriminals. The connection lies in using DDoS attacks to distract from and mask cryptojacking activities. This can involve launching a DDoS attack on a cryptocurrency exchange to divert attention.
It can also include using DDoS attacks to test a victim's defenses and exploit vulnerabilities for cryptojacking. The consequences of this combination include increased energy consumption, hardware damage, and the potential theft of sensitive information.
The SSH brute-forcer tool, also known as aliases, utilizes the information extracted from Chrome's text file output. It processes this data to gain access to each identified IP address. If the brute-forcing attempt is successful, it establishes a remote connection to the respective IP address.
To determine if your computer is part of a botnet, watch out for the following signs:
- Unexplained activity: Excessive running of the processor, hard drive, or computer fans without a clear cause.
- Slow Internet: Unusually slow internet speeds, despite no active downloads, uploads, or software updates.
- Slow reboots and shutdowns: Sluggish shutdowns or restarts, potentially caused by malicious software.
- Application crashes: Previously stable programs now frequently crashing or behaving erratically.
- High RAM usage: Check if an unknown application is consuming a significant portion of your computer's memory.
- Mysterious emails: Recipients reporting spam or malicious emails sent from your account.
- Unsafe habits: Neglecting important security updates, visiting unsafe websites, downloading unsafe software, or clicking on malicious links.
To protect against these attacks, organizations are advised to implement measures such as SSH hardening and firewall rules. By implementing SSH hardening practices, organizations can strengthen the security of their SSH configurations.
Additionally, setting up firewall rules helps limit SSH access to specific IP addresses, reducing the potential for unauthorized access attempts. These proactive measures can significantly enhance the security posture of organizations against SSH-related threats.