A threat group probably situated in Romania and active since at least 2020 has been behind a recent cryptojacking campaign targeting Linux-based machines with a previously undocumented SSH brute-force written in Golang.
Named “Diicot brute,” the credential cracking tool is supposed to be distributed using a software-as-a-service model, with each threat attacker creating their unique API keys to provide the intrusion, Bitdefender researchers said in a report posted last week.
While the major aim of the gang is to set up Monero mining malware by remotely negotiating the devices using brute-force attacks, the investigators connected to the campaign to at least two DDoS botnets, which includes a Demonbot component known as Chernobyl and a Perl IRC bot, with the XMRig mining payloads published on a domain known as mexalz[.]us since February 2021.
What did the Romanian’s Association Said?
The Romanian cybersecurity technology company said it starts its researches into the group’s cyber activities in May 2021, leading to the consequent detection of the adversary’s attack framework and toolkit.
The gang is also known for relaying on a bag of obfuscation tricks that allow them to go under the radar. To that end, the Bash scripts are compiled with a shell script compiler also known as shc, and the attack chain has been discovered to advantageous Discord to report the data back to a channel under their control, a tactic that has become increasingly common among malicious threat actors for command-and-control transmission and avoid security.
By using Discord as a data exfiltration platform also exempt the requirement for threat actors to host their command-and-control server, not to mention enabling support for generating communities centered on buying and selling malware source code and services.
No Shortage of Unacceptable Passwords for Linux Machines
Weak credentials are no surprise: Default usernames and passwords, or weak passwords that can easily be cracked through brute-forcing, are everywhere and unfortunate given in security.
“Hackers going after week SSH passwords are not uncommon,” the report explained. The complex part is not important brute-forcing passwords but rather “doing it in a way that lets attackers go undetected,” according to investigators.
As investigators explained, the author of the Diicot brute tool claimed that it can filter out honeypots. Maybe so, but “this researchers is proof that it doesn’t, or at least it could not avoid ours,” they mentioned.
Bitdefender’s honeypot data shows that attacks matching the brute-force tool’s signature initiated in January. The gang is not pulling the worm move of propagating on negotiated systems at this point, they said, at least not yet. “The IP addresses they locate from belong to a relatively small set, which let us know that the threat actors are not yet using negotiated systems to propagate the malware.”
“Attackers going after weak SSH passwords are not common,” the investigators said. “In the considerable problems in security are default user names and passwords, or weak credentials hackers can overcome easily with brute force. The tedious part is not important brute-forcing those passwords but doing it in a way that lets threat actors go undetected.”