{"id":2567,"date":"2021-07-19T20:42:11","date_gmt":"2021-07-19T15:12:11","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=2567"},"modified":"2021-07-19T20:42:13","modified_gmt":"2021-07-19T15:12:13","slug":"researchers-alert-of-linux-cryptojacking-attackers-running-from-romania","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/","title":{"rendered":"Researchers Alert of Linux Cryptojacking Attackers Running from Romania"},"content":{"rendered":"\n<p><p style=\"text-align: justify;\">A threat group probably situated in Romania and active since at least 2020 has been behind a recent cryptojacking campaign targeting Linux-based machines with a previously undocumented SSH brute-force written in Golang.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">Named \u201cDiicot brute,\u201d the credential cracking tool is supposed to be distributed using a software-as-a-service model, with each threat attacker creating their unique API keys to provide the intrusion, Bitdefender researchers said in a report posted last week.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">While the major aim of the gang is to set up Monero mining malware by remotely negotiating the devices using brute-force attacks, the investigators connected to the campaign to at least two DDoS botnets, which includes a Demonbot component known as Chernobyl and a Perl IRC bot, with the XMRig mining payloads published on a domain known as mexalz[.]us since February 2021.<\/p><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"728\" height=\"583\" src=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Researchers-Alert-of-Linux-Cryptojacking-Attackers-Running-from-Romania-image1.jpg\" alt=\"Researchers-Alert-of-Linux-Cryptojacking-Attackers-Running-from-Romania-image1\" class=\"wp-image-2570\" srcset=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Researchers-Alert-of-Linux-Cryptojacking-Attackers-Running-from-Romania-image1.jpg 728w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Researchers-Alert-of-Linux-Cryptojacking-Attackers-Running-from-Romania-image1-300x240.jpg 300w\" sizes=\"(max-width: 728px) 100vw, 728px\" \/><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What did the Romanian\u2019s Association Said?<\/strong><\/h2>\n\n\n\n<p><p style=\"text-align: justify;\">The Romanian cybersecurity technology company said it starts its researches into the group\u2019s cyber activities in May 2021, leading to the consequent detection of the adversary\u2019s attack framework and toolkit.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">The gang is also known for relaying on a bag of obfuscation tricks that allow them to go under the radar. To that end, the Bash scripts are compiled with a shell script compiler also known as shc, and the attack chain has been discovered to advantageous Discord to report the data back to a channel under their control, a tactic that has become increasingly common among malicious threat actors for command-and-control transmission and avoid security.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">By using Discord as a data exfiltration platform also exempt the requirement for threat actors to host their command-and-control server, not to mention enabling support for generating communities centered on buying and selling malware source code and services.<\/p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>No Shortage of Unacceptable Passwords for Linux Machines<\/strong><\/h2>\n\n\n\n<p><p style=\"text-align: justify;\">Weak credentials are no surprise: Default usernames and passwords, or weak passwords that can easily be cracked through brute-forcing, are everywhere and unfortunate given in security.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">\u201cHackers going after week SSH passwords are not uncommon,\u201d the report explained. The complex part is not important brute-forcing passwords but rather \u201cdoing it in a way that lets attackers go undetected,\u201d according to investigators.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">As investigators explained, the author of the Diicot brute tool claimed that it can filter out honeypots. Maybe so, but \u201cthis researchers is proof that it doesn\u2019t, or at least it could not avoid ours,\u201d they mentioned.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">Bitdefender\u2019s honeypot data shows that attacks matching the brute-force tool\u2019s signature initiated in January. The gang is not pulling the worm move of propagating on negotiated systems at this point, they said, at least not yet. \u201cThe IP addresses they locate from belong to a relatively small set, which let us know that the threat actors are not yet using negotiated systems to propagate the malware.\u201d<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">\u201cAttackers going after weak SSH passwords are not common,\u201d the investigators said. \u201cIn the considerable problems in security are default user names and passwords, or weak credentials hackers can overcome easily with brute force. The tedious part is not important brute-forcing those passwords but doing it in a way that lets threat actors go undetected.\u201d<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A threat group probably situated in Romania and active since at least 2020 has been behind a recent cryptojacking campaign targeting Linux-based machines with a previously undocumented SSH brute-force written in Golang. Named \u201cDiicot brute,\u201d the credential cracking tool is supposed to be distributed using a software-as-a-service model, with each threat attacker creating their unique [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":2569,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.11 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Researchers Alert of Linux Cryptojacking Attackers Running from Romania - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Researchers Alert of Linux Cryptojacking Attackers Running from Romania - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"A threat group probably situated in Romania and active since at least 2020 has been behind a recent cryptojacking campaign targeting Linux-based machines with a previously undocumented SSH brute-force written in Golang. Named \u201cDiicot brute,\u201d the credential cracking tool is supposed to be distributed using a software-as-a-service model, with each threat attacker creating their unique [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-19T15:12:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-19T15:12:13+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Researchers-Alert-of-Linux-Cryptojacking-Attackers-Running-from-Romania-feature-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"Researchers Alert of Linux Cryptojacking Attackers Running from Romania\",\"datePublished\":\"2021-07-19T15:12:11+00:00\",\"dateModified\":\"2021-07-19T15:12:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/\"},\"wordCount\":522,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Breaches\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/\",\"url\":\"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/\",\"name\":\"Researchers Alert of Linux Cryptojacking Attackers Running from Romania - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-07-19T15:12:11+00:00\",\"dateModified\":\"2021-07-19T15:12:13+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Researchers Alert of Linux Cryptojacking Attackers Running from Romania\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Researchers Alert of Linux Cryptojacking Attackers Running from Romania - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/","og_locale":"en_US","og_type":"article","og_title":"Researchers Alert of Linux Cryptojacking Attackers Running from Romania - Xiarch Solutions Private Limited","og_description":"A threat group probably situated in Romania and active since at least 2020 has been behind a recent cryptojacking campaign targeting Linux-based machines with a previously undocumented SSH brute-force written in Golang. Named \u201cDiicot brute,\u201d the credential cracking tool is supposed to be distributed using a software-as-a-service model, with each threat attacker creating their unique [&hellip;]","og_url":"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-07-19T15:12:11+00:00","article_modified_time":"2021-07-19T15:12:13+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Researchers-Alert-of-Linux-Cryptojacking-Attackers-Running-from-Romania-feature-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"Researchers Alert of Linux Cryptojacking Attackers Running from Romania","datePublished":"2021-07-19T15:12:11+00:00","dateModified":"2021-07-19T15:12:13+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/"},"wordCount":522,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Breaches"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/","url":"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/","name":"Researchers Alert of Linux Cryptojacking Attackers Running from Romania - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-07-19T15:12:11+00:00","dateModified":"2021-07-19T15:12:13+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/researchers-alert-of-linux-cryptojacking-attackers-running-from-romania\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Researchers Alert of Linux Cryptojacking Attackers Running from Romania"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2567"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=2567"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2567\/revisions"}],"predecessor-version":[{"id":2571,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2567\/revisions\/2571"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/2569"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=2567"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=2567"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=2567"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}