June 17, 2023Ravi Lakshmanancryptojacking / network security

Cybersecurity researchers have discovered a previously undocumented payload associated with Romanian actors. Dicottcould launch a distributed denial of service (DDoS) attack.

“Dicott’s name means a lot. Romanian Organized Crime and Counter-Terrorism Police Force“Cado Security” Said in technical reports. “In addition, deliverables from the group’s campaigns include messages and images related to this organization.”

Diicot (née Mexals) was first documented by Bitdefender in July 2021 using a Go-based SSH brute forcer tool called Diicot Brute to compromise Linux hosts as part of a cryptojacking campaign. became clear.

And in early April this year, Akamai revealed what it called a “resurrection” of its 2021 activity, which allegedly began around October 2022, and claimed to have made about $10,000 in illicit profits from this act.

cyber security

“The attackers use long chains of payloads before finally dropping the Monero cryptominer,” said Akamai researcher Stiv Kupchik. Said at the time. “New features include use of the Secure Shell Protocol (SSH) worm module, improved reporting, improved payload obfuscation, and a new LAN spreader module.”

According to Cado Security’s latest analysis, the group said: CayocinA malware family that shares characteristics with , Qbot and Mirai.

This development demonstrates the threat actor’s ability to launch DDoS attacks. Other activities carried out by this group include exposing rival hacker groups and relying on his Discord for command and control and data theft.

cyber security

“The deployment of this agent targeted routers running OpenWrt, a Linux-based embedded device operating system,” said the cybersecurity firm. “The use of Cayosin demonstrates Dicot’s willingness to carry out a variety of attacks (not just cryptojacking) depending on the type of target it encounters.”

Diicot’s compromise chain remains largely consistent, leveraging custom SSH bruteforce utilities to gain a foothold and drop additional malware such as Mirai variants and cryptominers.

Some of the other tools that actors use are:

  • chromium – A Zmap-based internet scanner that can write operation results to a text file (“bios.txt”).
  • update – An executable that fetches and runs SSH brute forcers and Chrome if they are not present on the system.
  • history – A shell script designed to run Update

SSH brute forcer tools (aka aliases) parse Chrome’s text file output to compromise each identified IP address and, if successful, establish a remote connection to that IP address.

upcoming webinars

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!

join the session

It then runs a series of commands to profile the infected host and use it to deploy a cryptominer or act as a spreader if the machine’s CPU has less than 4 cores.

To mitigate such attacks, we recommend that organizations implement SSH hardening and firewall rules to restrict SSH access to specific IP addresses.

“This campaign specifically targets SSH servers exposed to the Internet with password authentication enabled,” Cado Security said. “The list of usernames and passwords they use is relatively limited and includes default credentials and easily guessed credential pairs.”

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog