Diicot cybercriminals unleashing a new wave of DDoS attacks

In the realm of cybersecurity, researchers have unearthed some new payloads that have not been recorded before, tied to a Romanian cyber threat group referred to as Diicot. This group is suspected to be capable of initiating distributed denial-of-service (DDoS) attacks. The name Diicot carries significant weight as it mirrors that of a prominent Romanian organized crime and counter-terrorism police unit. Artifacts from Diicot's activities include messages and images that connect back to this law enforcement entity, as disclosed in a technical report by Cado Security.

The evolution and rise of diicot's cybercriminal activities

The origins of Diicot, also known as Mexals, were initially documented by Bitdefender in July 2021. They brought to light the group's employment of a Go-based SSH brute-forcer tool termed Diicot Brute. This tool was utilized to infiltrate Linux hosts during a cryptojacking campaign. In April of this year, Akamai noted a revival of this activity from 2021, suspected to have initiated in October 2022, and leading to the cybercriminals accruing an estimated $10,000 through illicit means. The attack methods were complex, involving multiple payloads that eventually culminated in the dropping of a Monero cryptominer. Akamai researcher Stiv Kupchik observed enhancements in their capabilities, including the utilization of an SSH worm module, improved reporting, more effective payload obfuscation, and the introduction of a new LAN spreader module.

Diversified attack strategies and implications of diicot's activities

A recent analysis by Cado Security reveals that Diicot is now deploying an easily available botnet agent called Cayosin. This malware shares traits with Qbot and Mirai, well-known threats in the cyber world. This development signals that the threat actor now has the means to execute DDoS attacks. Other activities pursued by the group include revealing information about competitive hacking groups (doxxing) and using Discord for command-and-control along with data extraction. Cado Security indicated that this agent specifically targets routers that use the Linux-based embedded operating system, OpenWrt. The adoption of Cayosin signals Diicot's readiness to diversify its attack strategies beyond cryptojacking, altering its approach based on the targets they encounter.

Mitigation strategies against diicot and its cybercriminal techniques

The attack strategies employed by Diicot have remained fairly consistent. They mainly use their custom SSH brute-forcing tool to establish an initial access point, followed by dropping additional malware, including a Mirai variant and the crypto miner. The cyber group has a variety of tools at their disposal, including an internet scanner based on Zmap that can save the results of its operation to a text file, and an executable that retrieves and runs the SSH brute-forcer and internet scanner if they are not present in the system. To combat such attacks, organizations are advised to strengthen SSH security and enforce firewall rules to limit SSH access to particular IP addresses. As Cado Security pointed out, the campaign is primarily aimed at SSH servers exposed on the internet with password authentication enabled, using a rather limited and predictable list of username/password combinations.