Romanian hackers are using a new brute-forcer “Diicot brute” to crack the passwords on Linux-based machines and plant cryptominer malware.
A cryptojacking gang based in Romania uses a unique SSH brute-forcer dubbed Diicot to crack weak passwords on Linux machines and install code of a miner XMRig, a legitimate open-source miner that’s been adapted for cryptojacking by various cybercriminals.
Bitdefender researchers, who has been tracking this actor, said the campaign is mainly focused on Monero mining, also their toolset can be used to steal sensitive information from users and perform other nefarious actions.
The researchers said they connected the group to at least two DDoS botnets, which they described as a variant of the Linux DemonBot (aka “chernobyl”) and a Perl IRC bot.
Cryptojacking is a slow and tedious way to generate illicit income, that’s why the actor is using botnet to infect as many devices as possible.
“Owning multiple systems for mining is not cheap, so attackers try the next best thing: To remotely compromise devices and use them for mining instead,” according to the report.
The actor is after people who use weak and default passwords that are easily broken through brute-force.
“People are the simple reason why brute-forcing SSH credentials still works,” researchers wrote. “Hackers going after weak SSH credentials is not uncommon,” the report explained.
The tricky part is not necessarily brute-forcing passwords but rather doing it in a way so that attackers can’t go undetected, Bitdefender says.
The author of the Diicot tool claimed that it could filter out honeypots. However, Bitdefender rearchers disproved that claim as they managed to analyze the malware.
The campaign is still active. It started in January and has not yet moved to the worm phase, according to Bitdefender.
“The IP addresses they originate from belong to a relatively small set, which tells us that the threat actors are not yet using compromised systems to propagate the malware (worm behavior).”
Bitdefender traced the actor to Romania by analyzing their tools and methods, which included heavy obfuscation with Bash scripts compiled with a shell script compiler (shc).
Security researchers revealed that threat actors used Discord to have the malware communicate back to them, an increasingly popular technique.
Joseph Carson, the head of security at cloud identity firm ThycoticCentrify, said that although the campaign uses a new brute-force tool, it is not sophisticated and is likely operated by a threat actor with minimal experience.
“The techniques being used have been shared too often on the darknet, making it easy for anyone with a computer and an internet connection to start a cryptojacking campaign,” he said to Threatpost.