Researchers from Cado Labs reported that an emerging Romanian threat actor called Diicot is utilizing unique TTPs (Tactics, Techniques, and Procedures) and an interesting attack pattern to target victims.
The researchers noted that the group has been using brute-force malware whose payloads have neither been publicly reported nor appeared in common repositories.
About Diicot Threat Group
Diicot, previously known as Mexals, is a relatively new threat group that possesses extensive technical knowledge and has a broad range of objectives. Diicot shares its new name with the Romanian anti-terrorism policing unit and uses the same style of messaging and imagery.
Previous research by Akamai and Bitdefender reveals that Diicot has been active since 2020 and mainly conducts cryptojacking campaigns or creates malware for malware-as-a-service (MaaS).
According to Cado Labs’ research, in its new campaign, Diicot has deployed the Cayosin botnet, while one of its prime targets is the internet-exposed SSH servers with password authentication enabled. Interestingly, their username and password list is pretty restrictive, including only default or easy-to-guess credentials.
Examining Diicot’s Unique TTPs
Diicot heavily relies on the Shell Script Compiler to make loader scripts difficult to analyze. Additionally, they pack payloads with a custom version of UPX, using a modified header with the byte sequence 0x59545399.
A UPX header prevents unpacking through the standard command (upx -d), but it can be circumvented via the upx dex utility created by Akamai’s Larry Cashdollar, and the sequence can be identified by detection tools.
Furthermore, Diicot frequently uses Discord to establish C2 because it supports HTTP POST requests to a webhook URL. The group includes Snowflake timestamps in the links, allowing for data exfiltration and viewing campaign statistics and creation dates within a given channel.
In their blog post, Cado researchers revealed that they identified four different channels that Diicot used in this campaign. Deploying Cayosin botnet, an off-the-shelf Mirai-based botnet agent to target routers running the Linux-based OS OpenWRT is a newly adopted tactic, indicating that the group changes its attack style after examining its targets.
Generally, Diicot group’s campaigns have a long execution chain in which payloads and outputs share an interdependent relationship. Shc executables act as loaders that prepare the system for mining via a custom XMRig version.
Initial access is achieved by a custom, Golang-based 64-bit SSH brute-forcing tool called “aliases.” It ingests a list of IP addresses and credential pairs to be targeted for conducting the attack. In case “aliases” encounters an OpenWrt router, a Mirai-style spreader script called “bins.sh” is launched to retrieve the Cayosin botnet agent’s binaries (multiple 32-bit ELF binaries).
SHC also runs a shell script for cryptocurrency mining by changing the password into a hardcoded value and installing XMRig if the system has more than four processor cores and the user ID is equal to 0 (root). If the user is not root, the payload generates a password through the date command, sha256sum, and base64.
The first 8 characters of the result are used as the password. Diicor registers its SSH key after executing the miner to maintain system access and creates a simple script to relaunch the miner if it stops running. Users must implement SSH hardenings, such as key-based authentication for SSH instances and firewall rules, to limit their access to IPs.
On the other hand, Akamai’s researchers claim that Diicot is still exploring ways to deploy it and can now also conduct DDoS attacks. When Diicot’s servers were examined, a doxxing video in the Romanian language was also discovered, showing a dispute between Diicot and the group’s online personas owned by rival hacking group members.
In that video, the personal details of these members, including photos, full names, online handles, and home addresses, are mentioned.