A cybercriminal group calling itself Diicot is performing mass SSH brute-force scanning and deploying a variant of the Mirai IoT botnet on compromised devices, according to researchers. The group also deploys a cryptocurrency mining payload on servers with CPUs that have more than four cores.
“Although Diicot have traditionally been associated with cryptojacking campaigns, Cado Labs discovered evidence of the group deploying an off-the-shelf Mirai-based botnet agent, named Cayosin,” researchers from Cado Security said in an analysis of the group's recent and ongoing attack campaign. "Deployment of this agent was targeted at routers running the Linux-based embedded devices operating system, OpenWrt.”
What is Diicot?
The Diicot group has been around since at least 2021 and used to be called Mexals. Researchers have strong indications that the group is based in Romania after investigating strings found in its malware payloads, scripts, and messages against rival hacker groups.
Even its new name mimics the acronym for the Directorate for Investigating Organized Crime and Terrorism (DIICOT) a Romanian law-enforcement agency that also investigates and prosecutes cybercrime under its organised crime fighting mandate.
In past campaigns, first documented by antivirus firm Bitdefender in 2021, the group's main focus has been cryptojacking — the practice of hijacking computing power for cryptocurrency mining.
The group used to target Linux servers with weak SSH credentials by using custom and centralised mass scanning and brute-force script that tried various usernames and password combinations. If a server was successfully compromised, the group deployed a custom version of the open-source XMRig software to mine Monero.
The group's campaigns continued, but earlier this year researchers from Akamai noted the group's name change and the diversification of its attack toolkit, adding an SSH worm written in Golang and the deployment of a Mirai variant called Cayosin.
Mirai was a self-propagating botnet designed to infect embedded networking devices that originally appeared in 2016 and was responsible for some of the largest DDoS attacks observed at the time. The botnet's source code was later published online, allowing cybercriminals to develop many other improved variants based on it.
Diicot's latest attack campaign
The attack campaign investigated by Cado Security uses many of the same tactics documented by Bitdefender and Akamai and appears to have started in April 2023, when the Discord server used for command-and-control was created.
The attack starts with the Golang SSH brute-forcing tool that the group calls aliases. This tool takes a list of target IP addresses and username/password pairs and then attempts to brute-force authentication.
If the compromised system runs OpenWRT, a Linux-based open-source operating system for networking devices such as routers, the attackers will deploy a script called bins.sh that's responsible for determining the device CPU architecture and deploying a Cayosin binary compiled for that architecture under the name cutie.arch.
If the system is not running OpenWRT, the aliases tool deploys one of several Linux binary payloads created with an open-source tool called the shell script compiler (SHC) tool and packed with UPX. All these payloads serve as malware loaders and prepare the system for the deployment of the XMRig variant.
Script checks for systems with four or more CPU cores
One of the SHC payloads is actually named “payload” and executes a bash script that checks if the system has four CPU cores before deploying XMRig. The script also changes the password for the current user it's executed under. If the user is root, the password is set to a hardcoded value, but if it's not, the password is generated dynamically from the current date.
Payload also deploys another SHC executable called .diicot that adds an attacker-controlled SSH key to the current user to ensure future access and makes sure the SSH service is running and registered as a service.
The script then proceeds to download the custom XMRig variant and save it with the name Opera along with its configuration file. It also creates a cron script to check for and relaunch the Opera process if it's not running.
The payload tool downloads another SHC executable called “update” that deploys the alias’s brute-force tool on the system and a copy of the Zmap network scanner under the name “chrome.” The update executable also deploys a shell script called “history” that executes Update itself and then creates a cron script that ensures the history and chrome executables are running on the system.
Diicot employs tools for more than just cryptojacking
The chrome Zmap scanner is run against a network block generated by the update tool and saves the results in a file called bios.txt. The targets in this file are then used by aliases to perform SSH brute-force attacks along with a list of usernames and passwords that the Update tool also generates.
“The use of Cayosin demonstrates Diicot’s willingness to conduct a variety of attacks (not just cryptojacking) depending on the type of targets they encounter,” the Cado researchers said.
"This finding is consistent with Akamai’s research, suggesting that the group is still investing engineering effort into deploying Cayosin. In doing so, Diicot have gained the ability to conduct DDoS attacks, as this is the primary objective of Cayosin according to previous reporting.”
Organisations should ensure that they implement basic SSH hardening for their servers. This means using key-based authentication instead of passwords and using firewall rules to restrict SSH access to only trusted IP addresses. Detecting Diicot scanning originating from a system should be straightforward at the network level as it is quite noisy, the researchers said.