Diicot: from cryptojacking to DDoS attacks

Cybersecurity researchers have identified previously undocumented workloads linked to Diicot, a Romanian threat group, highlighting the group's potential to launch Distributed Denial of Service (DDoS) attacks. The name Diicot has a certain relevance, as it coincides with the name of the Romanian police unit dedicated to the fight against organized crime and terrorism, as revealed by a technical report by Cado Security. Distinctive elements of this group's campaigns include messages and images associated with this police organization.

Diicot: history and techniques of attack

The Diicot group, originally known as Mexals, was first reported by Bitdefender in July 2021, highlighting the use of a Go-based SSH brute-forcer tool called Diicot Brute. This tool was used to hack Linux hosts during a cryptojacking campaign. Then, in April, Akamai reported what it described as a "resurgence" of the 2021 business, believed to have started around October 2022 and netted the group about $10,000 in ill-gotten profits. “Attackers run a long chain of workloads before finally releasing a Monero cryptominer,” Akamai researcher Stiv Kupchik said at the time. "New features include the use of a Secure Shell Protocol (SSH) worm module, more detailed reporting, improved workload obfuscation, and a new LAN broadcasting module."

Expanding Diicot's capabilities: the use of botnets

Cado Security's most recent analysis reveals that the Diicot group is now implementing an off-the-shelf botnet called Cayosin, a family of malware that shares features with Qbot and Mirai. This development suggests that the threat group now has the ability to launch DDoS attacks. Other activities carried out by the group include doxxing rival hacker groups and using Discord for command and control and data exfiltration. "The deployment of this agent was targeted at routers running the Linux-based operating system for embedded devices, OpenWrt," the cybersecurity firm said. "The use of Cayosin demonstrates Diicot's willingness to conduct various types of attacks (not just cryptojacking) depending on the type of target encountered."

Diicot attack tools and mitigation recommendations

Diicot's chains of compromise have remained largely constant, using the custom SSH brute-forcing utility to gain a foothold and drop additional malware such as the Mirai variant and crypto miner. Other tools used by the group include Chrome, a Zmap-based internet scanner that saves the results of operations in a text file ("bios.txt"), Update, an executable that fetches and runs the SSH brute-forcer, and Chrome if they are not present on the system, and History, a shell script designed to run Update. The SSH brute-forcer utility, in turn, parses the output of Chrome's text file to hack into each of the identified IPs, and if successful, establishes a remote connection to the IP address. This is followed by a series of commands to profile the infected host and use it to deploy a cryptominer or make it act as a diffuser if the machine's CPU has fewer than four cores.

To mitigate such attacks, it is recommended that organizations implement SSH hardening and firewall rules to restrict SSH access to specific IP addresses. "This campaign specifically targets SSH servers exposed on the internet with password authentication enabled," Cado Security said. "The list of username/passwords they use is relatively limited and includes predefined and easily guessed pairs of credentials."