Unmasking Romania’s Diicot: High-Profile DDoS Attacks And Cryptojacking

CryptoMode KryptoCibule Malware Web3 FBI NetWire Diicot

A recent investigation by cybersecurity specialists has uncovered previously unknown payloads connected to Diicot, a Romanian cyber threat actor. This discovery has unveiled its burgeoning capabilities to execute distributed denial-of-service (DDoS) attacks.

Emergence of a New Cyber Threat: Romania’s Diicot

Diicot is significant as it shares its moniker with the Romanian organized crime and anti-terrorism policing unit. In a detailed report, Cado Security stated that traces from Diicot’s campaigns showcase messages and imagery related to this organization, establishing a potential link.

The origins of Diicot, known initially as Mexals, were first traced by Bitdefender in July 2021. This discovery unveiled Diicot’s employment of a Go-based SSH brute-forcer tool, Diicot Brute. This tool was used to infiltrate Linux hosts, aiding in the execution of a cryptojacking campaign.

A Resurgence in Diicot’s Activities

Check out our weekly crypto and fintech newsletter here! Follow CryptoMode on Twitter, Youtube and TikTok for news updates!

In April of this year, Akamai revealed a “resurgence” in Diicot’s activities, with a suspected inception date in October 2022. This revival was highly profitable for the cyber-actor, accumulating approximately $10,000 in unauthorized profits.

Akamai researcher Stiv Kupchik noted the attacker’s deployment of a long chain of payloads before ultimately releasing a Monero crypto miner. New capabilities discovered include using a Secure Shell Protocol (SSH) worm module, improved reporting, enhanced payload obfuscation, and a newly developed LAN spreader module. 

Expanding Capabilities: Diicot’s Adoption of Cayosin Botnet

Cado Security’s latest research suggests Diicot is expanding its attack methods by deploying an off-the-shelf botnet called Cayosin. This malware family shares similarities with Qbot and Mirai, signaling a growth in the group’s technical prowess. This evolution is indicative of Diicot’s newfound capacity to launch DDoS attacks.

Apart from executing DDoS attacks, Diicot’s repertoire includes the doxxing of competing hacking groups and the usage of Discord for command-and-control along with data exfiltration. The group has also demonstrated a propensity to adjust their attack methods based on the nature of their targets.

A Glimpse into Diicot’s Attack Strategy

Diicot’s attack strategy largely involves leveraging their custom SSH brute-forcing utility to gain initial access and drop additional malware, such as the Mirai variant and the crypto miner.

The SSH brute-forcer tool is employed to analyze the text file output of Chrome, allowing the group to breach each of the identified IP addresses. Once successful, it establishes a remote connection to the IP address.

The process continues with the execution of a series of commands to assess the infected host. Depending on the system’s resources, the compromised machine is either used to deploy a crypto miner or is transformed into a spreader if the machine’s CPU has fewer than four cores.

Countermeasures Against Diicot’s Attacks

To counter such invasions, organizations are advised to employ SSH hardening and formulate firewall rules to restrict SSH access to specific IP addresses. Cado Security specifically highlighted the need for this as Diicot’s campaign is aimed at SSH servers exposed to the internet with password authentication enabled.

The list of username/password combinations they utilize is fairly limited, mostly comprising of default and easily-guessable credential pairs.

None of the information on this website is investment or financial advice. CryptoMode is not responsible for any financial losses sustained by acting on information provided on this website.