SECURITY
SECURITY
SECURITY
Romanian threat actor ‘Diicot’ expands activities beyond cryptojacking in latest campaign
A new report from cloud forensics and incident response platform startup Cado Security Ltd. has detailed and warned that an emerging Romanian threat actor named Diicot, formerly known as Mexals, is running a new campaign involving previously unreported brute-forcing malware payloads.
Diicot, previously known for conducting cryptojacking campaigns and offering malware-as-a-service, has been active since at least 2020. Notably, artifacts from their campaigns reveal a connection to Romanian organized crime and an anti-terrorism policing unit also named Diicot.
Cado Labs’ researchers have found evidence of Diicot deploying an off-the-shelf Mirai-based botnet agent named Cayosin. The agent specifically targets routers running the Linux-based embedded devices operating system OpenWRT. The deployment of Cayosin is said to indicate Diicot’s versatility, since they’re willing to engage in various types of attacks beyond cryptojacking.
The report takes an interesting twist, as the researchers found that one of Diicot’s servers includes a Romanian-language doxing video featuring a feud between the group and other online personas. The find is said to suggest that Diicot is actively involved in exposing personal details, including photographs, home addresses and full names of individuals, in addition to their other malicious activities.
Diicot’s latest campaign reveals a concerning escalation in their activities. Through the discovery of previously unreported brute-forcing malware payloads, Diicot has demonstrated its intention to target SSH servers with password authentication enabled. The ongoing campaign involves a limited list of username/password pairs, including default and easily guessed credentials.
The researchers do note that analyzing Diicot’s campaign was a laborious task because of the convoluted execution chain and basic obfuscation techniques used by the hacking gang. However, their payloads often exhibit noisy behavior, making them detectable with proper network monitoring.
Given the serious nature of Diicot’s activities, the report notes that it’s crucial for organizations to implement effective countermeasures.
Cado Labs recommends basic SSH hardening measures, such as mandating key-based authentication for SSH instances. Organizations should also implement firewall rules to restrict SSH access to specific IP addresses, which can significantly bolster security defenses against this malware family.
Image: Bing Image Creator
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
